TL;DR:
- KelpDAO suffered an exploit for approximately $290 million on April 18, 2026, with funds drained primarily through Ethereum and Arbitrum.
- LayerZero attributed the attack to North Korea’s Lazarus Group and confirmed the incident was isolated to KelpDAO’s rsETH configuration.
- The vulnerability originated in the 1-of-1 DVN configuration used by the protocol, contrary to LayerZero’s redundancy recommendations.
The liquid restaking protocol KelpDAO suffered an exploit on April 18, 2026, for approximately $290 million, with funds extracted through Ethereum and Arbitrum. The first forensic traces identified multiple attack addresses funded through Tornado Cash, which reduced tracking possibilities from the outset and confirmed this was a highly coordinated operation.
LayerZero issued an official statement attributing the attack to the Lazarus Group of North Korea, specifically to the unit known as TraderTraitor. According to the cross-chain messaging infrastructure, the exploit did not occur at the protocol level but through an RPC poisoning attack, in which the attackers compromised two independent nodes that the DVN operated by LayerZero Labs used to verify transactions. To complete the attack, they executed DDoS attacks against the uncompromised nodes, forcing traffic to be rerouted toward the malicious infrastructure.
— LayerZero (@LayerZero_Core) April 20, 2026
The Trap of the 1-of-1 Configuration
The central point of LayerZero’s statement points directly to a configuration decision made by KelpDAO. The rsETH protocol operated with a 1-of-1 DVN setup, using LayerZero Labs as the sole verifier, in clear contradiction with public and private multi-DVN redundancy recommendations. LayerZero confirmed having communicated these best practices to the KelpDAO team prior to the incident. A configuration with multiple independent verifiers would have required cross-consensus to validate any message, making this type of attack unfeasible even with a compromised node.
LayerZero confirmed there was no contagion to any other asset or application integrated into the protocol. All OApps and OFTs with multi-DVN configurations are operating without interruption. The LayerZero Labs DVN was restored and the team announced it will not sign messages from applications that maintain 1-of-1 configurations.
The KelpDAO Exploit Tests the Entire DeFi Infrastructure
Beyond the amount stolen, the incident exposes a clear structural tension within the cross-chain DeFi ecosystem. The security of an interoperable protocol no longer depends solely on the quality of its own code, but on every configuration decision made by those who integrate it. When one of those decisions fails under a sophisticated state-level attack, the damage is also measured in trust: in the restaking layer, in the messaging infrastructure, and in the Ethereum ecosystem as a whole.
LayerZero indicated it is in contact with multiple law enforcement agencies at the global level and is actively collaborating with industry researchers and Seal911 to track the funds.
