Kelp DAO Hack Update: LayerZero and Kelp Trade Blame

LayerZero said the attack involved compromised RPC nodes and criticized Kelp DAO’s 1-of-1 DVN setup as a single point of failure. Kelp responded that the configuration was LayerZero’s documented default and had previously been confirmed as appropriate. 

Kelp Rejects LayerZero Claims

Kelp DAO responded to criticism after the $292 million exploit that struck its LayerZero-powered cross-chain bridge over the weekend, and downplayed claims that it was solely responsible for the incident. The April 18 attack resulted in the loss of 116,500 rsETH tokens, which makes it the largest decentralized finance exploit recorded so far this year.

According to LayerZero, the attacker — believed to be linked to North Korea’s Lazarus Group — gained access to a list of RPC nodes used by LayerZero Labs’ decentralized verified network (DVN). The hackers allegedly poisoned two RPC nodes and then launched a distributed denial-of-service attack, which allowed the DVN to validate a fraudulent cross-chain message. This fake message was then used to authorize an illegitimate transaction that drained funds from Kelp DAO’s bridge.

LayerZero openly criticized Kelp DAO’s use of a 1-of-1 DVN configuration, and argued that it created a dangerous single point of failure because no independent verifier existed to challenge suspicious activity. The company added that it previously communicated best practices around validator diversification and claimed Kelp DAO chose not to adopt them.

Kelp DAO rejected that narrative in a statement that was posted Monday, and said the 1-of-1 DVN model was the default configuration outlined in LayerZero’s own documentation for new OFT deployments. Kelp added that it operated on LayerZero infrastructure since January of 2024 and maintained regular communication with the LayerZero team. It further stated that when the configuration was reviewed during its expansion to Layer 2 networks, the setup was explicitly confirmed as appropriate at the time.

The protocol said its immediate response measures, including pausing affected contracts and blacklisting wallets tied to the attacker, helped contain further damage. It added that it is now reviewing options to safely resume operations.

The impact also spread to Aave after the exploiter deposited a big amount of stolen rsETH into Aave V3 as collateral, then borrowed large amounts of WETH and wstETH. Aave warned this could create bad debt depending on how losses are allocated. 

Despite the risk, Aave said its DAO maintains a strong balance sheet with $181 million in assets and has received commitments from ecosystem participants to help support the protocol if necessary.