Key Takeaways
- A sophisticated breach drained approximately $290–293 million from Kelp DAO through compromised RPC infrastructure linked to LayerZero’s verification system
- According to LayerZero, Kelp DAO disregarded security recommendations to implement multiple verifiers, opting instead for a vulnerable single-verifier architecture
- Initial forensic analysis points to North Korea’s Lazarus Group as the likely perpetrator
- The breach created ripple effects across nine decentralized finance platforms, with Aave experiencing a $6 billion asset decline
- LayerZero has announced it will terminate support for all projects operating with single-verifier configurations
In what stands as one of 2026’s most significant decentralized finance security failures, Kelp DAO experienced a devastating weekend breach that saw approximately $290–293 million siphoned from its liquid restaking infrastructure. LayerZero, the cross-chain messaging protocol utilized during the incident, has attributed the vulnerability to Kelp’s internal security architecture.
The exploitation centered on the cross-chain transfer mechanism for Kelp’s rsETH token. The protocol operated using a single-verifier framework, creating a critical point of failure where only one entity validated inter-blockchain transactions. According to LayerZero, the company had explicitly cautioned Kelp against this configuration and advocated for implementing multiple independent verification sources.
The threat actors infiltrated two remote procedure call nodes—server infrastructure that enables applications to interact with blockchain data. These legitimate nodes were replaced with compromised versions that transmitted fraudulent information to LayerZero’s validator while maintaining normal appearance to all other monitoring systems.
Since LayerZero’s validation mechanism cross-referenced uncompromised external nodes, the attackers launched a distributed denial-of-service campaign to disable those backup systems. This maneuver redirected network traffic through the malicious nodes during a critical 80-minute window on Saturday between 10:20 a.m. and 11:40 a.m. Pacific Time.
When the failover mechanism activated, the corrupted nodes authenticated a fabricated transaction. Kelp’s bridge protocol subsequently released 116,500 rsETH tokens to the attackers’ wallets. The malicious code then executed a self-destruct sequence, erasing all evidence from the compromised servers.
Cascading Impact Throughout the DeFi Ecosystem
The stolen rsETH tokens were strategically deployed as collateral across multiple lending platforms to extract genuine digital assets. Aave, the dominant decentralized lending marketplace, absorbed the most severe consequences.
Aave found itself holding essentially worthless rsETH collateral while borrowers had already withdrawn liquid assets like ETH. The protocol’s native token plummeted approximately 15% within a 24-hour period, triggering a panic withdrawal of roughly $6 billion as participants scrambled to protect their holdings.
The contamination extended to at least nine different DeFi protocols, encompassing Fluid, Compound Finance, SparkLend, and Euler. Cybersecurity firm Cyvers characterized the incident as a “cross-protocol contagion event” that transcended a simple isolated breach.
LayerZero has established preliminary connections linking this attack to North Korea’s Lazarus Group and its specialized TraderTraitor division. This same cybercriminal organization was implicated in the $285 million Drift Protocol compromise on April 1, suggesting Lazarus has extracted over $575 million from DeFi platforms within an 18-day span using two distinct attack vectors.
Industry Response and Future Safeguards
LayerZero reports discovering no evidence of contamination spreading to applications employing multi-verifier architectures. The company has restored its verification service to operational status and declared it will cease signing transactions for any project maintaining a single-verifier configuration.
Curve Finance creator Michael Egorov emphasized that this breach demonstrates the inherent risks of relying on solitary verification sources for transaction authentication. He further cautioned against utilizing cross-chain infrastructure except when absolutely essential.
Ledger’s Chief Technology Officer Charles Guillemet predicted that 2026 will “most likely be the worst year in terms of hacks.” Cryptocurrency-related security breaches have already accumulated $482 million in losses during the first quarter of 2026.
Kelp has not issued any public statement addressing LayerZero’s version of events or provided justification for continuing to operate a single-verifier system after receiving explicit security warnings.
