LayerZero's post-mortem pins the largest DeFi exploit of 2026 on KelpDAO's single-verifier bridge configuration, but Kelp says it was using LayerZero's own defaults. North Korea's Lazarus Group has been attributed as the attacker.
LayerZero published its post-mortem on the $292 million KelpDAO exploit on Sunday and pointed the finger squarely at Kelp's bridge configuration — a setup it says it had warned against months ago.
The April 18 attack drained 116,500 rsETH from Kelp's cross-chain bridge, making it the single largest decentralised finance exploit of 2026 and pushing April's total hack losses past $606 million. LayerZero, whose messaging protocol underpinned the bridge, attributed the breach with what it called "preliminary confidence" to North Korea's Lazarus Group — specifically its TraderTraitor subunit, the same outfit behind the $1.4 billion Bybit theft in February 2025 and the Drift Protocol exploit earlier this month.
The technical details paint a sophisticated attack. Hackers compromised two of the RPC nodes that LayerZero's Decentralised Verifier Network relied on to confirm cross-chain transactions, replacing the nodes' software with malicious versions that reported false transaction data to the verifier while feeding accurate information to every other observer. A simultaneous DDoS attack forced a failover that routed verification through the compromised nodes — keeping the manipulation invisible to LayerZero's own monitoring systems until after the funds had moved.
LayerZero's statement was unambiguous about where it believes responsibility lies. The exploit was "isolated entirely to KelpDAO's rsETH configuration as a direct consequence of their single-DVN setup," the company wrote, adding that Kelp had been running a single LayerZero DVN as the only verification path for its bridge. That configuration, LayerZero argued, created a single point of failure that no amount of protocol-level security could compensate for.
Kelp fired back within hours. In its own statement, the protocol disputed the characterisation, arguing that the single-verifier setup relied on LayerZero's own infrastructure and default settings rather than an outlier configuration chosen against advice. Kelp's position — that it followed the path of least resistance built into LayerZero's tooling — challenges the notion that bridge operators bear sole responsibility for security decisions baked into the messaging layer they depend on.
The dispute exposes a deeper structural problem in cross-chain infrastructure. Modular security — the principle that bridge operators can customise their verification requirements using interchangeable components — has been one of LayerZero's selling points. But modularity cuts both ways; when operators choose the cheapest or simplest configuration, the consequences fall on depositors who had no say in the architecture. Kelp's users deposited funds into a protocol that appeared to use LayerZero's battle-tested infrastructure without knowing that a single compromised verification path could drain the entire bridge.
The fallout has spread well beyond Kelp itself. Aave, which held a significant portion of the stolen rsETH as collateral, has seen $8.45 billion in deposits exit over 48 hours. Total value locked across DeFi fell from $99.5 billion to $86.3 billion — a $13.2 billion wipeout in two days — as depositors on platforms from Euler to Sentora scrambled to withdraw before contagion could spread further. Roughly $196 million in Aave-specific bad debt remains concentrated in the rsETH–wrapped ether pair on Ethereum's mainnet.
The Lazarus attribution, if confirmed, would make April 2026 the most active month for North Korean crypto theft on record. Between the Drift Protocol breach on April 1 and now the Kelp exploit, state-backed hackers have extracted more than $575 million in a single month. The US Treasury's Office of Foreign Assets Control has previously sanctioned Lazarus-linked wallets, but the group has consistently demonstrated an ability to launder stolen funds through chain-hopping and mixers faster than enforcement agencies can freeze them.
Neither LayerZero nor KelpDAO has announced a compensation plan for affected depositors. LayerZero's statement made clear it considers the exploit a consequence of Kelp's choices; Kelp's response suggested the opposite. The $292 million sits somewhere between the two, and the users who lost it are caught in the middle of a finger-pointing exercise that — whatever its outcome — will not return their funds.
