Key Takeaways
- Approximately $290–293 million was drained from Kelp DAO following a sophisticated attack on RPC nodes connected to LayerZero’s verification system
- According to LayerZero, Kelp DAO disregarded security recommendations to implement multiple verifiers and operated with a vulnerable single-verifier model
- Initial forensic analysis points to North Korea’s notorious Lazarus Group as the perpetrators
- The breach created ripple effects across nine DeFi platforms, with Aave experiencing approximately $6 billion in asset outflows
- LayerZero has announced it will cease supporting any protocols operating with single-verifier configurations
A devastating security breach struck Kelp DAO during the weekend, resulting in the theft of approximately $290–293 million from the liquid restaking platform in what ranks among 2026’s most significant DeFi exploits. LayerZero, the cross-chain infrastructure provider whose technology was involved in the incident, has attributed the vulnerability to Kelp’s infrastructure choices.
Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate.
We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.
We will keep you…
— Kelp (@KelpDAO) April 18, 2026
The sophisticated breach exploited the mechanism through which Kelp’s rsETH token transfers across different blockchain networks. Operating with a single-verifier architecture meant only one authority needed to validate cross-chain transfers. According to LayerZero, the company had explicitly cautioned Kelp about this vulnerable configuration and advocated for implementing multiple independent verification sources.
LayerZero: KelpDAO Loses ~$290M in Exploit, Attributed to DPRK’s Lazarus Group
LayerZero reported that on April 18, 2026, KelpDAO suffered an exploit resulting in losses of approximately $290M, preliminarily attributed to DPRK’s Lazarus Group (TraderTraitor). The attack poisoned… pic.twitter.com/mfhQRaC2p9
— Wu Blockchain (@WuBlockchain) April 20, 2026
The perpetrators infiltrated two remote procedure call nodes—infrastructure components that enable software to interact with blockchain data. These legitimate nodes were replaced with compromised versions designed to transmit fraudulent information to LayerZero’s verification system while maintaining normal appearances to all other monitoring tools.
Since LayerZero’s verification infrastructure also consulted untainted external nodes, the attackers launched a coordinated distributed denial-of-service campaign to disable those backup systems. This tactical move redirected all traffic through the compromised infrastructure during a critical window between 10:20 a.m. and 11:40 a.m. Pacific Time on Saturday.
When the automatic failover mechanism activated, the malicious nodes confirmed to the verifier that a legitimate transaction had occurred. This triggered Kelp’s bridge protocol to distribute 116,500 rsETH tokens to addresses controlled by the attackers. Following the successful exploit, the malicious code automatically deleted itself, eliminating forensic evidence from the compromised servers.
Cascade Effect Throughout DeFi Ecosystem
The stolen rsETH tokens were strategically deployed as collateral across various lending platforms, enabling the attackers to extract genuine crypto assets. Aave, the dominant decentralized lending protocol, sustained the most substantial damage.
Aave found itself holding illiquid rsETH collateral while valuable assets such as ETH had already been borrowed and transferred away. The protocol’s native token plummeted approximately 15% within 24 hours, while the platform experienced roughly $6 billion in asset withdrawals as panicked users sought to protect their holdings.
A minimum of nine DeFi platforms sustained collateral damage, including Fluid, Compound Finance, SparkLend, and Euler. Cybersecurity firm Cyvers characterized the incident as a “cross-protocol contagion event” rather than a contained security breach.
LayerZero has identified North Korea’s Lazarus Group and its specialized TraderTraitor division as the likely culprits with preliminary confidence. This organization was also implicated in the $285 million Drift Protocol breach on April 1, indicating that Lazarus has extracted over $575 million from DeFi platforms within an 18-day period using distinct attack methodologies.
Industry Response and Future Protocols
LayerZero reports finding no evidence of contamination affecting other applications utilizing multi-verifier security architectures. The company has restored its verification services and declared it will discontinue signing transactions for any platform maintaining a single-verifier framework.
Curve Finance creator Michael Egorov emphasized that the breach demonstrates the inherent risks of relying on a solitary entity for transaction validation. He additionally cautioned against implementing cross-chain technology except when absolutely essential.
Ledger CTO Charles Guillemet predicted that 2026 will “most likely be the worst year in terms of hacks.” Cryptocurrency-related theft losses have already accumulated to $482 million during the first quarter of 2026.
Kelp DAO has remained silent regarding LayerZero’s version of events and has offered no public explanation for continuing to operate a single-verifier configuration after receiving clear security warnings.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
