KelpDAO exploit drains $292M exposing LayerZero bridge risk

A critical vulnerability in KelpDAO's cross-chain bridge infrastructure powered by LayerZero led to a $292 million exploit on April 18, creating unbacked rsETH tokens and triggering a liquidity crisis on the Aave lending protocol.

The coordinated response signals that the ecosystem is "moving beyond isolated protocols to a more coordinated financial system," but the focus should remain on accountability, Matthew Pinnock, COO at Altura DeFi, told Decrypt.

Attackers, believed to be North Korea's Lazarus Group, compromised LayerZero's single-verifier network by poisoning internal RPC nodes to report a phantom burn of assets, according to a Chainalysis report. This allowed the unauthorized minting of 116,500 rsETH on Ethereum.

The incident has wiped out over $15 billion in TVL from affected protocols and sparked a massive, coordinated recovery effort from top DeFi players, while raising serious questions about the security and centralization of cross-chain bridge architecture.

DeFi Unites for Recovery

In response to the shortfall, a coalition of protocols branded "DeFi United" is mobilizing to absorb the bad debt. The effort includes a personal 5,000 ETH pledge from Aave founder Stani Kulechov and a proposal from Mantle for a 30,000 ETH credit facility to the Aave DAO. Lido Finance, Golem Foundation, and Ether.fi have also committed millions in support. The Arbitrum Security Council, working with law enforcement, successfully froze 30,766 ETH, worth approximately $71.5 million, linked to the exploiter's downstream addresses.

A Question of Configuration

The incident's fallout has been compounded by questions regarding LayerZero's security posture. Ripple CTO David Schwartz highlighted a December 2024 statement from LayerZero CEO Bryan Pellegrino, who claimed that "0%" of the protocol's volume relied solely on a single Decentralized Verifier Network (DVN). "Did something change between December of 2024 and now?" Schwartz questioned, implying the attack may not have happened as described or that earlier security claims were inaccurate. LayerZero maintains the exploit was isolated to KelpDAO's specific single-DVN setup.

This article is for informational purposes only and does not constitute investment advice.