KelpDAO rsETH Hack: $290M Drained via LayerZero DVN, $175M Moved

KelpDAO lost approximately $290 million in rsETH on April 18, 2026, after attackers forged a cross-chain message on a single-verifier LayerZero route, and on-chain data shows the exploiter consolidated and began fragmenting $175 million in ETH across new wallets on April 21. The KelpDAO rsETH exploit is now the largest DeFi incident of 2026, surpassing the $285 million Drift exploit from April 1. At ETH's current price of roughly $2,398, the 116,500 rsETH drained represents about 18% of the token's circulating supply.

The incident has reignited debate over single-DVN bridge configurations and exposed a deeper disagreement between KelpDAO and LayerZero Labs over who is accountable when default settings fail. (A DVN, or Decentralized Verifier Network, is the LayerZero component that attests cross-chain messages are valid before the destination chain releases funds.)

Inside the LayerZero DVN Vulnerability

LayerZero attributes the breach to North Korea's TraderTraitor, a Lazarus Group subunit, which allegedly compromised two RPC nodes and DDoS'd a third to trigger failover to poisoned infrastructure. The forged message released 116,500 rsETH from Ethereum bridge inventory without a matching burn on Unichain, according to LayerZero's incident report.

LayerZero says the rsETH path used a 1-of-1 DVN configuration — with LayerZero Labs as sole verifier — against its documented multi-DVN recommendation. In its post-mortem, the firm wrote: "A properly hardened configuration would have required consensus across multiple independent DVNs, rendering this attack ineffective even in the event of any single DVN being compromised."

KelpDAO counters that the 1-of-1 setup is the default shipped for new OFT (Omnichain Fungible Token) deployments and was affirmed during Kelp's L2 expansion. A source close to the protocol told CoinDesk that the compromised infrastructure was built and run by LayerZero, not Kelp, and that the firm's public documentation promoted single-source verification across major chains. Source-side nonce 307 never advanced on Unichain, while Ethereum accepted nonce 308 — confirming the destination release was unbacked.

Lazarus Group Crypto Hack: Fund Flows and the Arbitrum Security Council Freeze

Blockchain analytics firms tracked the attacker consolidating proceeds into a hub wallet, which on April 21 moved 75,700 ETH — roughly $175 million — across two newly created addresses. Per PeckShield's tracking, approximately 50,700 ETH ($117.48M) went to 0xABc8…36FAD and 25,000 ETH ($57.93M) went to 0xF980…15910, with the latter now fragmenting across multiple downstream addresses. On-chain sleuth ZachXBT and Arkham data confirmed the laundering activity had begun, with funds being bridged to Bitcoin via Thorchain, Umbra Cash, and Chainflip in small batches.

The attacker also used the stolen rsETH as collateral on Aave V3. According to Aave Labs' incident report, 89,567 rsETH was deposited on the protocol, backing roughly 82,650 WETH and 821 wstETH in borrowed assets across Ethereum Core and Arbitrum — a drain of approximately $190 million in real liquidity. A follow-on attempt targeting ~40,000 rsETH was blocked after Kelp paused contracts and blacklisted recipient addresses 46 minutes into the attack.

Arbitrum's Security Council has frozen 30,766 ETH (worth about $71 million) held on-chain by the exploiter before a native bridge withdrawal could complete, moving the funds to a protocol-controlled address that can only be accessed through further governance action.

LayerZero Labs said it will no longer attest messages for any OApp running a 1-of-1 configuration. Kelp is coordinating with Aave and LayerZero on unpausing and impact assessment, while the still-open leveraged positions on Aave leave protocol-level liquidation exposure unresolved. Aave Labs' own modeling puts the potential bad debt at anywhere from $124 million to $230 million depending on how Kelp allocates the shortfall across rsETH holders.