KelpDAO, a well-known liquid restaking protocol, has released a detailed statement regarding a massive attack on the rsETH bridge, resulting in the theft of over $292 million. The project directly placed the responsibility for the incident on LayerZero, emphasizing that the cause was indeed the compromise of this platform’s infrastructure, rather than errors in the configuration of KelpDAO itself.
This is reported by Finway
Configuration dispute and KelpDAO’s position
At the center of the conflict is the 1-of-1 DVN verification model, which LayerZero had previously recommended and approved for use by partners. KelpDAO stressed that it had applied the standard configuration agreed upon with representatives of LayerZero and has direct evidence of this in internal correspondence. It was only after the attack that LayerZero changed its position, labeling this configuration as vulnerable and the cause of the hack.
“This is a Telegram correspondence with a member of the LayerZero Labs team, who not only knew about the 1-1 DVN configuration but also explicitly approved it.”
Statistics show that about 47% of LayerZero’s OApp contracts used a similar verification model, and over 120 protocols operated under the same scheme. This raises doubts about the claim of a unique error on the part of KelpDAO.
Details of the hack and market implications
According to an analysis by KelpDAO and independent researchers, the attack that occurred on April 18, 2026, targeted not the smart contracts but the infrastructure of LayerZero. The attackers compromised the RPC nodes used by DVN, organizing an RPC spoofing attack. This allowed them to sign fake transactions worth over $100 million (part of the funds were managed to be blocked), with total losses amounting to approximately $292 million.
LayerZero officially confirmed the compromise of part of its infrastructure. Meanwhile, independent experts emphasized that:
“The LayerZero attack was not an RPC poisoning […] it was an infrastructure breach within the perimeter.”
KelpDAO highlighted that it was the first to detect the attack and promptly halted the operation of contracts to minimize the consequences.
According to information from LayerZero, the attack may be linked to the North Korean group Lazarus Group. Part of the assets were managed to be frozen: the Arbitrum network blocked over 30,000 ETH (approximately $71 million), which later became the subject of a legal dispute involving Aave. At the same time, the attackers managed to launder about 34,500 ETH ($80 million) through THORChain.
New risks and transition to Chainlink
Following the incident, KelpDAO announced its abandonment of LayerZero’s infrastructure and transition to Chainlink CCIP. The team emphasized that Chainlink has already processed over $30 trillion in transaction volume and remained stable even during global outages.
“We are moving to use a proven infrastructure and minimizing reliance on external dependencies.”
The incident has raised new questions in the industry regarding the security of decentralized protocols: particularly concerning the centralization of DVN, shared points of control, the use of default configurations without additional verification, and the lack of timely monitoring of attacks. KelpDAO also publicly called on LayerZero to explain how its infrastructure was compromised and why the system did not detect the attack earlier.