Kelp DAO exploit drains $292 million in a cross-chain bridge attack, with investigators pointing to a likely link to North Korea’s Lazarus Group.
Key Takeaways
- $292 million worth of rsETH was drained from Kelp DAO’s LayerZero powered bridge.
- Lazarus Group is identified as the likely attacker, according to LayerZero’s investigation.
- The exploit exposed a critical single point failure in verifier setup.
- Major DeFi platforms froze activity, while market fears triggered a drop in TVL and token prices.
What Happened?
An attacker exploited Kelp DAO’s cross-chain bridge infrastructure, draining 116,500 rsETH tokens and triggering widespread disruption across decentralized finance. The protocol paused operations shortly after, preventing further losses, while investigations pointed to a sophisticated infrastructure level attack.
Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate.
— Kelp (@KelpDAO) April 18, 2026
We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.
We will keep you…
Exploit Origin and Attack Breakdown
The attack occurred at 17:35 UTC on April 18, when an attacker controlled wallet triggered a malicious transaction through LayerZero’s messaging system. This action convinced the system that a legitimate cross-chain request had been received, causing the protocol to release a massive amount of rsETH.
Investigators later found that the attacker wallet had been funded through Tornado Cash, a tool commonly used to obscure transaction origins in crypto exploits.
According to findings shared by LayerZero, the exploit was not due to compromised smart contracts or stolen private keys. Instead, the issue stemmed from a flawed system configuration within Kelp DAO’s infrastructure.
Single Point Failure Enabled the Attack
The root cause of the breach was a 1 of 1 decentralized verifier node setup, meaning only one verification node was responsible for validating cross-chain messages.
LayerZero had reportedly recommended a multi-verifier setup to improve redundancy and security. However, Kelp DAO continued operating with a single verifier, which significantly lowered the barrier for attackers.
The exploit followed a multi step process:
- Attackers poisoned RPC infrastructure feeding the verifier network.
- A DDoS attack forced failover to compromised backup systems.
- The system validated fake cross-chain transactions, releasing funds.
This chain of events allowed attackers to extract nearly 18 percent of rsETH’s total circulating supply.
Cross Chain Impact and Liquidity Crisis Risk
The drained funds were part of the reserve backing wrapped rsETH tokens across more than 20 blockchain networks, including major layer 2 ecosystems.
This created immediate uncertainty about whether those tokens still held value, as the underlying collateral had been removed.
Experts warn this could trigger:
- Panic redemptions across networks.
- Pressure on Ethereum based liquidity pools.
- Forced unwinding of restaking positions.
The exploit also caused a ripple effect across DeFi platforms:
- Aave froze rsETH markets on its latest versions.
- SparkLend, Fluid, and Upshift also paused related markets.
- Lido temporarily halted deposits into products with rsETH exposure.
- Ethena paused its bridge operations as a precaution.
Meanwhile, AAVE token price dropped around 10 percent, reflecting concerns about potential bad debt exposure.
Market Reaction and Wider DeFi Fallout
The incident has been labeled the largest DeFi exploit of 2026 so far, surpassing earlier high profile attacks in the sector.
Following the breach:
- Total value locked across DeFi dropped by about 7 percent, falling to roughly $85 billion.
- Market participants rushed to assess exposure across interconnected protocols.
The broader context adds to the concern. Recent weeks have already seen multiple exploits across DeFi platforms, making this event part of a troubling trend.
Lazarus Group Suspected Involvement
LayerZero’s investigation points to the TraderTraitor subgroup of the Lazarus Group as the likely perpetrator. While not confirmed, the attribution aligns with known patterns of highly sophisticated attacks linked to North Korea.
The Lazarus Group has previously been connected to major crypto thefts, including high profile multi hundred million dollar hacks.
Security experts note that cross-chain protocols are especially attractive targets, as they hold large pooled liquidity and rely heavily on verification infrastructure.
LayerZero has confirmed:
- No protocol code was compromised.
- No private keys were exposed.
- The vulnerability was purely architectural.
The company has since decommissioned affected infrastructure and restored operations, while working with law enforcement to trace the stolen funds.
CoinLaw’s Takeaway
From my perspective, this incident highlights a hard truth about DeFi that many projects still underestimate. Security is not just about smart contracts, it is about architecture.
In my experience, ignoring basic redundancy recommendations is one of the biggest risks in system design. I found it surprising that a protocol managing billions relied on a single verifier setup.
This was not just a hack, it was a preventable failure. And now, the consequences are spreading across the entire ecosystem.
If anything, this event will likely push stricter security standards across cross-chain infrastructure, because the cost of getting it wrong is now painfully clear.
