LayerZero Blames $292M KelpDAO Bridge Hack on Lazarus Group
LayerZero attributed the $292M KelpDAO bridge exploit to North Korea's Lazarus Group, citing a corrupted single-verifier setup. The attack drained 116,500 rsETH, triggered $10B in Aave withdrawals, and nearly caused another $100M loss before a blacklist cut it off.
Quick Take
LayerZero traces $292M KelpDAO bridge hack to Lazarus Group
Attack exploited single-verifier flaw by corrupting verification channel
Exploit triggered $10B withdrawal from Aave, near additional $100M loss averted
LayerZero to halt support for apps using single verifier setup
Market Impact Analysis
BearishThe exploit caused immediate liquidations and withdrawals, potentially reducing confidence in cross-chain bridges, which could lead to reduced DeFi activity and bearish pressure on related tokens.
Speculation Analysis
Key Takeaways
- LayerZero ties the $292M KelpDAO bridge exploit to Lazarus Group after attackers corrupted the single-verifier setup.
- Drain of 116,500 rsETH triggered over $10B in withdrawals from Aave as fear swept DeFi markets.
- LayerZero will stop approving messages for apps using a single verifier, eliminating a critical vulnerability.
- Attackers nearly snatched another $100M before a rapid blacklist cut them off within three minutes.
What Happened
LayerZero pointed the finger at Lazarus Group for the $292 million KelpDAO bridge exploit on Saturday. Attackers corrupted the communication channel used by the bridge’s single verifier, feeding fake withdrawal approvals and knocking backup lines offline. The theft of 116,500 rsETH sent shockwaves through DeFi, prompting over $10 billion in withdrawals from Aave as users fled perceived risk. The attack bore hallmarks of North Korea’s state-backed TraderTraitor unit, previously tied to the Ronin and WazirX hacks.
The Numbers
The exploit drained $292 million in rsETH, a liquid restaking token backed by staked ether. The theft represented 116,500 tokens siphoned from the bridge. Panic cascaded into a $10 billion liquidity flight from Aave within hours. The attackers nearly escaped with an additional $100 million, but a blacklist deployed with just three minutes to spare halted the extra outflow. The entire operation hinged on corrupting a single point of verification.
Why It Happened
KelpDAO’s bridge relied on a single verifier to approve transactions—a design that LayerZero had repeatedly warned against. Attackers tapped two lines the verifier used to check validity, sending misleading confirmations while disconnecting honest nodes. This single point of failure allowed unauthorized withdrawals without triggering alarms. LayerZero now refuses to approve messages for any application that won’t adopt a multi-verifier setup, closing the loophole that Lazarus exploited.
Broader Impact
The fallout extends beyond KelpDAO. Investors yanked $10 billion from Aave amid fears of contagion, and cross-chain bridges face renewed skepticism. Regulators may intensify scrutiny of DeFi security, while projects scramble to audit single-verifier models. LayerZero’s policy shift could force an industry-wide migration to redundant validation, raising the bar for attackers but also increasing operational complexity.
What to Watch Next
- Monitor any movement of the stolen rsETH through obfuscation services—a hallmark of Lazarus operations.
- Track DeFi total value locked for further volatility, especially on protocols with single-verifier bridges.
- Watch for other cross-chain projects rushing to implement multi-verifier upgrades in response.
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
