LayerZero Blames Kelp's Single-Verifier Setup for $290M Exploit, Attributes to North Korea's Lazarus Group

VADODARA, April 20, 2026. The following report is based on currently available verified source material and market data.

Hook Paragraph

Data Summary

The exploit resulted in the theft of 116,500 rsETH, valued at approximately $290 million. According to LayerZero's analysis, the attack occurred between 10:20 a.m. and 11:40 a.m. Pacific Time on Saturday, April 18, 2026. The broader DeFi ecosystem has experienced significant fallout, with reports of a $13 billion DeFi wipeout over two days starting with the Kelp attack, and Aave seeing a $6 billion deposit drop. Bitcoin's price has declined 1.63% to $74,336, reflecting market-wide risk aversion.

Why It Matters

Why now? This exploit comes during a period of heightened DeFi vulnerability, with Lazarus Group demonstrating rapid adaptation by executing two structurally different attacks within weeks. The timing coincides with broader market fear sentiment and regulatory scrutiny, amplifying systemic risk concerns.

Who benefits? North Korean state-sponsored actors directly benefit from stolen funds, while security researchers and competing protocols may gain credibility. Kelp DAO users and rsETH holders suffer immediate losses, and the broader DeFi ecosystem faces reputational damage and potential regulatory backlash.

Time horizons: Short-term impacts include immediate fund recovery efforts, protocol migrations away from single-verifier setups, and increased insurance premiums. Long-term implications involve fundamental reassessment of infrastructure security models and potential regulatory intervention targeting cross-chain bridges.

Causal chain: Kelp's 1-of-1 verifier configuration → compromised RPC nodes + DDoS attack → forced failover to malicious nodes → fraudulent transaction approval → bridge releases rsETH to attackers → market contagion and protocol policy changes.

Mechanism Breakdown

The attack exploited infrastructure vulnerabilities rather than protocol code. Attackers compromised two RPC nodes that LayerZero's verifier relied on, replacing their binary software with malicious versions designed to selectively report fraudulent transactions only to LayerZero's verification system while maintaining normal operations for other queries. This selective lying kept the attack invisible to LayerZero's monitoring infrastructure. To ensure the verifier would rely on the compromised nodes, attackers executed a distributed denial-of-service (DDoS) attack on uncompromised external RPC nodes, forcing failover to the poisoned nodes. Once failover occurred, the malicious nodes falsely confirmed a valid cross-chain message, triggering Kelp's bridge to release 116,500 rsETH. The attack software then self-destructed, erasing forensic evidence.

Industry Comparison

The Kelp exploit represents a shift from traditional smart contract vulnerabilities to infrastructure-layer attacks, contrasting with Lazarus Group's previous social engineering attack on Drift Protocol. This evolution highlights several concerning trends:

• Attack Sophistication: Lazarus Group has demonstrated capability across multiple attack vectors within weeks
• Infrastructure Targeting: RPC node compromise represents a new frontier in DeFi security challenges
• Protocol Dependencies: The incident reveals how integrator security choices can create systemic risks
• Market Contagion: Despite LayerZero's claim of "zero contagion," the attack triggered broader DeFi instability

Risks & Counterpoints

LayerZero's attribution of blame to Kelp's configuration choices raises several critical questions about accountability and narrative reliability:

• Protocol Responsibility: While LayerZero claims the protocol worked as designed, questions remain about whether adequate safeguards were built into the verification system itself, particularly given the known risks of single-verifier setups
• Attribution Certainty: LayerZero's "preliminary confidence" in Lazarus Group attribution lacks public evidence, creating uncertainty about whether this represents definitive attribution or strategic narrative positioning
• Contagion Claims: LayerZero's assertion of "zero contagion" contradicts market data showing significant DeFi outflows and price impacts following the exploit, suggesting either incomplete assessment or misleading communication

Future Implications

LayerZero's policy change, refusing to sign messages for any application using 1-of-1 configurations, will force protocol-wide migrations to multi-verifier setups. This represents a fundamental shift in cross-chain security paradigms but raises questions about why such configurations were permitted initially. The incident will likely accelerate insurance product development for infrastructure risks and increase regulatory scrutiny of cross-chain bridges. Security audits may expand beyond smart contract code to include infrastructure dependencies and configuration validation.

Background

LayerZero is a cross-chain messaging protocol that enables communication between different blockchain networks. Kelp DAO is a liquid restaking protocol that allows users to stake Ethereum and receive liquid staking tokens. The relationship between the two protocols involves Kelp using LayerZero's technology for cross-chain operations. Single-verifier configurations have been historically criticized for creating single points of failure in decentralized systems.

Related Developments

The Kelp exploit has triggered broader market reactions and related security incidents:

• Aave experienced a $6 billion deposit drop as the Kelp hack exposed structural risks for DeFi lenders
• Vercel disclosed a security breach that may have exposed customer API keys, prompting crypto projects to rotate credentials
• RaveDAO's RAVE token collapsed 90% in a day as exchange probes widened
• The $13 billion DeFi wipeout over two days started with the KelpDAO attack

Conclusion

The $290 million Kelp exploit represents a significant escalation in DeFi security challenges, demonstrating how infrastructure-layer attacks can bypass traditional smart contract audits. While LayerZero has placed responsibility on Kelp's configuration choices, the incident reveals systemic vulnerabilities in cross-chain messaging protocols and raises questions about protocol accountability. The rapid adaptation of state-sponsored actors like Lazarus Group presents an ongoing threat that requires fundamental reassessment of DeFi security models beyond code audits to include infrastructure hardening and configuration validation.

Frequently Asked Questions

Q1: What exactly was stolen in the Kelp exploit?The attackers stole 116,500 rsETH (restaked Ethereum) valued at approximately $290 million through a fraudulent cross-chain transaction.

Q2: Why did LayerZero blame Kelp rather than their own protocol?LayerZero claims the attack only worked because Kelp used a single-verifier configuration despite explicit recommendations against it, and that the protocol code itself functioned as designed.

Q3: How does this attack differ from previous Lazarus Group exploits?This attack targeted infrastructure RPC nodes through technical compromise, whereas their previous Drift Protocol exploit used social engineering against governance signers, demonstrating adaptive tactics.

Q4: What is LayerZero doing to prevent similar attacks?LayerZero will no longer sign messages for any application using 1-of-1 verifier configurations, forcing migration to multi-verifier setups with consensus requirements.

Q5: Has Kelp DAO responded to LayerZero's claims?Not provided in source data. The article indicates Kelp has not yet publicly responded to LayerZero's framing of the incident.

Q6: What broader market impact has this exploit had?The attack contributed to a $13 billion DeFi wipeout over two days, triggered significant outflows from protocols like Aave, and occurred amid broader market fear sentiment with Bitcoin declining 1.63%.

Analysts are watching for Kelp's response to LayerZero's attribution, forensic evidence supporting Lazarus Group involvement, and whether forced migrations to multi-verifier configurations adequately address underlying infrastructure vulnerabilities.

What to watch next: By Shaurya Malwa Apr 20, 2026, 5:01 a.m.; Read full story Latest Crypto News The $13 billion DeFi wipeout in two days, and it started with KelpDAO attack 22 minutes ago Hack at Vercel sends crypto developers scrambling to lock down API keys 3 hours ago The $292 million Kelp exploit: how it happened, and what it means for DeFi 6 hours ago Previewing Consensus' Policy Summit: State of Crypto 10 hours ago Web3 VCs have a differentiation problem 11 hours ago 'DeFi is dead': crypto community scrambles after this year's biggest hack exposes contagion risk 11 hours ago Top Stories Bitcoin falls back to $76,000 as Iran shuts Hormuz again Apr 18, 2026 Aave sees $6 billion deposit drop as Kelp hack exposes structural risk for DeFi lender 14 hours ago Inside the rise of wrench attacks against crypto holders and how France has become the focus 15 hours ago RaveDAO's RAVE token collapses 90% in a day as exchange probes widen 14 hours ago Why Michael Saylor's Strategy decided to make STRC's dividend bi-monthly Apr 18, 2026 ### 📊 REAL-TIME MARKET INTELLIGENCE: - **Global Crypto Sentiment:** "Fear" (Score: 29/100)..