KelpDAO blames LayerZero infrastructure for $292M rsETH hack, shifts to Chainlink CCIP
Kelp says the exploit originated from LayerZero operated infrastructure, while LayerZero says the attack was tied to Kelp’s single DVN setup.
Share
Add us on Google by Estefano Gomez May. 5, 2026KelpDAO said LayerZero approved the bridge configuration later blamed for the $292 million rsETH exploit, escalating a dispute over responsibility for one of DeFi’s largest cross chain security failures this year.
The dispute centers on the April 18 exploit that drained about 116,500 rsETH from KelpDAO’s LayerZero bridge. Chainalysis said the attack was not a smart contract hack, but an attack on offchain infrastructure in which attackers compromised internal RPC nodes and used false data to trick a 1 of 1 DVN setup into releasing funds against a nonexistent burn.
LayerZero said in its incident statement that the exploit was isolated to KelpDAO’s rsETH configuration and resulted from its single DVN setup. The company said preliminary indicators pointed to a sophisticated state actor, likely North Korea’s Lazarus Group.
Kelp pushed back on that framing, saying the 1 of 1 setup was not unique to Kelp and was widely used across LayerZero integrations. The team said LayerZero’s own documentation and direct guidance pointed builders toward setups using LayerZero Labs as the required DVN, with no optional DVNs configured.
The protocol also said it stopped additional damage by pausing contracts after detecting the exploit. Chainalysis said Kelp’s intervention blocked a second $95 million theft, while the Arbitrum Security Council later froze more than 30,000 ETH tied to the attacker’s downstream funds.
The fallout spread across DeFi because the attacker deposited stolen rsETH as collateral across major lending markets. Galaxy Research said the exploiter borrowed about $236 million in WETH and wstETH, while Aave froze rsETH, wrsETH, and WETH markets across deployments as liquidity stress intensified.
Kelp said it is migrating rsETH cross chain transfers from LayerZero’s OFT standard to Chainlink CCIP, framing the move as part of a broader security hardening effort after the exploit.
Disclosure: This article was edited by Estefano Gomez. For more information on how we create and review content, see our Editorial Policy.
