LayerZero has published its key findings on the Kelp DAO exploit, linking the incident to North Korean cyber actors.
On April 18, the LayerZero-powered cross-chain bridge Kelp DAO lost 116,500 rsETH tokens valued at around $292 million, making it the largest DeFi exploit so far this year.
"Preliminary indicators suggest attribution to a highly-sophisticated state actor, likely DPRK’s Lazarus Group, more specifically TraderTraitor," LayerZero wrote in its latest statement.
LayerZero explained that the attacker gained access to the list of RPC nodes used by LayerZero Labs' decentralized verified network (DVN), which are independent entities that verify the cross-chain messages.
The attacker then poisoned two of those RPC nodes, causing them to deliver a fake cross-chain message to the DVN. The attacker launched a DDoS attack against the clean nodes to lead the DVN to rely on the poisoned nodes.
Because Kelp DAO was using a single 1-of-1 DVN setup with no redundancy, the fake message was accepted, allowing the bridge to unlock the token. LayerZero blamed Kelp DAO for choosing to operate with a single-DVN setup.
"Operating a single-point-of-failure configuration meant there was no independent verifier to catch and reject a forged message," the statement said. "LayerZero and other external parties previously communicated best practices around DVN diversification to KelpDAO. Despite these recommendations, KelpDAO chose to utilize a 1/1 DVN configuration."
Meanwhile, the statement assured that there is "zero contagion" to any other asset or application.
LayerZero wrote that the LayerZero Labs DVN is operational and that all applications under a multi-DVN setup should feel confident to resume operations. Going forward, LayerZero will not sign messages from any apps that use 1/1 DVN configuration, the statement said.
LayerZero is working with multiple law enforcement agencies to further investigate the matter and is actively tracking down the stolen funds, it added.
The April 18 attack on Kelp DAO has triggered a ripple effect across the entire sector, sparking a wave of withdrawals from Aave and prompting emergency pauses on multiple protocols.
The bad actor moved the stolen tokens to Aave V3, where the attacker used rsETH as collateral to borrow substantial amounts of WETH, which reportedly created bad debt on Aave. In response, the protocol froze the rsETH markets on both V3 and V4 to contain the risk.
"RsETH has been frozen on Aave V3 and V4, the asset does not have any borrowing power as a measure due to KelpDAO bridge exploit that happened outside of Aave," Aave Founder Stani Kulechov wrote on X. "Both Aave V3 and V4 does not have further exposure to rsETH."
Despite Aave's swift actions, the platform saw a significant outflow of funds.
According to historical data from Aavescan, over $10 billion worth of funds have moved out of Aave since the Kelp DAO exploit, with its total amount supplied plunging to $35.7 billion from $45.8 billion before the attack.
Marc Zeller, the founder of the Aave Chan Initiative and a prominent figure in the Aave ecosystem, urged platform users to quickly withdraw WETH from the protocol, writing, "withdraw now, ask questions later."
Meanwhile, Aave addressed the ongoing concerns by stating that it will explore ways to offset the deficit if the protocol accumulates bad debt.
The Kelp DAO exploit has prompted dozens of DeFi protocols to freeze their LayerZero OFT (omnichain fungible token) bridges out of caution. These include major protocols such as Ethena, ether.fi, Tron DAO, Curve Finance, and many others.
DefiLlama data shows that total value locked in DeFi has dropped 7% in the past 24 hours. DeFi TVL currently stands at around $86.3 billion, dropping from $99.5 billion on April 18.
"The Kelp DAO exploit is another reflection of structural vulnerabilities in DeFi, especially in cross-chain infrastructure and the irony of how concentrated critical security layers are," said Min Jung, associate researcher at Presto Research. "From a trust perspective, the timing, following incidents like Drift, is damaging, as users increasingly question whether low yields justify the risk of exploits."
The researcher told The Block that the series of large exploits in DeFi will likely accelerate a move toward tighter risk management and improved architectural design.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2026 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
