Kelp DAO: LayerZero says 1/1 DVN setup enabled $292M exploit

On April 18, 2026, Kelp DAO’s LayerZero-powered cross‑chain bridge was drained for 116,500 rsETH — roughly $292 million — in a high‑profile DeFi exploit. LayerZero’s preliminary findings point to the protocol’s use of a one‑of‑one Decentralized Verifier Network (DVN) configuration as the structural weakness that allowed the forged cross‑chain instruction to be accepted.

Early technical reconstructions indicate the attacker compromised RPC nodes used by LayerZero’s DVN, injected a forged message and simultaneously suppressed legitimate nodes via traffic interference so the DVN would rely on the poisoned endpoints. Because Kelp operated a single‑verifier setup with no independent redundancy, the malicious packet passed validation and the bridge released inventory to an attacker‑controlled address. Kelp subsequently paused rsETH contracts and began coordinating with LayerZero and external auditors.

The stolen rsETH was routed into lending venues where it was posted as collateral and used to borrow wrapped ether (WETH), forcing Aave and other lenders to freeze rsETH markets to limit contagion. Aave’s risk stewards announced emergency parameter changes and market freezes; the protocol’s total value locked contracted by several billion dollars as users withdrew liquidity amid uncertainty.

LayerZero also signalled a likely attribution to DPRK‑linked Lazarus actors, noting operational indicators consistent with the group’s prior campaigns and announcing a policy change to refuse signing messages for any applications that remain on a 1/1 DVN configuration. The statement underlines a growing consensus that misconfigured middleware and insufficient verifier diversity — rather than a single smart‑contract bug — can produce systemic risk in modular DeFi stacks.

Market commentators expect immediate governance discussions at Aave and Kelp over loss allocation, reserve usage and potential compensation. Longer term, the industry will likely accelerate mandatory DVN diversification, strengthen third‑party node hygiene, and increase on‑chain proofing of cross‑chain messages to reduce similar single‑point failures in interoperable protocols.