KelpDAO, a liquid restaking protocol backed by CZ’s family office YZi Labs, suffered a $290 million hack. The attacker drained rsETH through KelpDAO’s LayerZero-powered cross-chain bridge, risking contagion to other DeFi protocols such as Aave. However, Layer Zero blames North Korea’s Lazarus Group and Kelp’s security choices for the exploit.
North Korea’s Lazarus Group Likely Behind KelpDAO Hack: LayerZero
LayerZero Labs attributed the KelpDAO hack to North Korea’s Lazarus Group, specifically TraderTraitor, in a blog post on April 20. The hacking group has a long history of targeting crypto projects, including the $280 million Drift protocol hack.
Moreover, it highlighted that the hack succeeded because KelpDAO chose to use a single-decentralized verifier network (DVN) configuration. The company noted that it and other parties previously recommended KelpDAO adopt a multi-verifier setup for better security.
Hackers targeted KelpDAO’s bridge setup by compromising downstream RPC nodes used by LayerZero’s DVN to verify transactions. Attackers compromised two RPC nodes and launched DDoS attacks on the uncompromised RPCs to drain $290 million in rsETH tokens.
“This was carefully designed to prevent any security monitoring from noticing anomalies from what external RPCs were reporting, said LayerZero. “It was designed to self-destruct once the attack could no longer be performed, disabling the RPCs, deleting the malicious binary and corresponding local logs and configs,” it added.
LayerZero maintained that its protocol itself had no inherent vulnerabilities. The KelpDAO hack exploited the liquid restaking protocol’s setup choices.
DVN Is Now Live with Zero Contagion to Other Crypto Tokens
LayerZero confirmed that there is zero contagion to any other cross-chain assets or applications. All affected RPC nodes are now deprecated and replaced, stating the “LayerZero Labs DVN is now live.”
It recommends that all applications with a multi-DVN setup resume operations. The protocol team is currently asking all to migrate to multi-DVN setups with redundancy.
However, the KelpDAO hack has triggered contagion effects across DeFi. This has increased bad debt on Aave and led to a sharp drop in Aave’s total value locked (TVL).
Aave Founder Stani Kulechov said “rsETH has been frozen on Aave V3 and V4. Both Aave V3 and V4 do not have further exposure to rsETH.”
rsETH has been frozen on Aave V3 and V4, the asset does not have any borrowing power as a measure due to KelpDAO bridge exploit that happened outside of Aave. Both Aave V3 and V4 does not have further exposure to rsETH. https://t.co/vt8j1BOUjB
— Stani (@StaniKulechov) April 18, 2026
AAVE price crashed more than 20% in the past two days, currently trading at $92.40. The 24-hour low and high are $89.08 and $94.05, with a 15% decline in trading volume.
If you are looking to capitalize on low prices in current crypto market conditions, check out our narrowed-down recommendations for the Best DeFi Lending Platforms.
Source: https://coingape.com/kelpdao-hack-layerzero-blames-north-korea-lazarus-and-kelp-poor-security/