KelpDAO suffered a major exploit on April 18, 2026, with attackers draining around $290 million linked to its rsETH product. Early analysis points to North Korea’s Lazarus Group and its TraderTraitor unit as the likely attackers, based on tactics and infrastructure.
The hack targeted KelpDAO’s cross‑chain setup rather than a direct bug in its core smart contracts. Attackers contaminated remote procedure call (RPC) nodes and abused cross‑chain messaging to push fake transactions through.
According to incident write‑ups, the attacker managed to mint 116,500 unbacked rsETH and then unload much of it for WETH and other assets across DeFi platforms. This made the exploit one of the largest DeFi bridge‑related attacks of 2026.
LayerZero’s Explanation and Lazarus Attribution
LayerZero, whose cross‑chain messaging stack KelpDAO used, said its protocol is “functioning normally” and found no core protocol bug. Instead, it blamed KelpDAO’s configuration choice, which used a single 1‑of‑1 Decentralized Verifier Network (DVN) with LayerZero Labs as the only verifier.
In this setup, one compromised verifier was enough to approve forged cross‑chain messages. LayerZero says it had repeatedly recommended multi‑DVN, multi‑signer configurations to avoid a single point of failure, but KelpDAO stuck with the 1‑of‑1 model.
Security researchers and coverage from several outlets note that the operation mirrors previous Lazarus‑linked campaigns, which often combine infrastructure compromise with social engineering and advanced on‑chain routing. LayerZero’s public posts describe the attackers as a “highly sophisticated state‑sponsored” actor, with indicators pointing to Lazarus.
Where the Single Point of Failure Was
The exploit hinged on two related weaknesses: compromised RPC endpoints and KelpDAO’s single‑verifier DVN setup. Attackers first compromised the downstream RPC used by the DVN, then launched a DDoS attack on other nodes to force a failover to the poisoned endpoint.
Once that happened, the DVN started confirming transactions that never actually occurred on the source chain. Because KelpDAO’s bridge trusted a single verifier, there was no second or third independent DVN to disagree and halt the forged message.
LayerZero and independent analysts stress that a 2‑of‑3 or 3‑of‑5 DVN setup would have forced the attackers to compromise several unrelated verifier networks at once. In that case, the forged message would most likely have failed, even with a single node or RPC endpoint under the attacker’s control.
LayerZero says it has replaced the affected RPC endpoint, restored DVN operations, and is working with KelpDAO, SEAL, and law‑enforcement agencies to trace funds.
READ MORE: Russia Moves to Criminalize Unlicensed Crypto Services
