LayerZero Blames Kelp's $290M Exploit on Single-Verifier Setup
LayerZero attributes the $290M Kelp DAO exploit to Kelp's single-verifier configuration, warning against it. Attackers, linked to Lazarus Group, compromised RPC nodes to forge a cross-chain message, draining 116,500 rsETH. LayerZero will no longer support 1-of-1 setups, forcing protocol-wide migration.
Quick Take
Kelp DAO lost $290M in rsETH due to a single-verifier bridge setup.
Lazarus Group suspected of compromising two RPC nodes with DDoS attack.
LayerZero says no contagion; 1-of-1 configs will no longer be signed.
Kelp ignored multi-verifier recommendation; Lazarus adapts attack vectors.
Market Impact Analysis
BearishMajor exploit raises security concerns, likely causing short-term DeFi token sell-off.
Speculation Analysis
Key Takeaways
- Kelp DAO lost $290M in rsETH due to a single-verifier bridge setup.
- Lazarus Group suspected of compromising two RPC nodes with a DDoS attack.
- LayerZero says no contagion; 1-of-1 configs will no longer be signed.
- Kelp ignored multi-verifier recommendation; Lazarus adapts attack vectors.
What Happened
LayerZero has linked the $290 million exploit of Kelp DAO to a single-verifier setup that the protocol had warned against. The attack, attributed to North Korea's Lazarus Group, compromised two RPC nodes that LayerZero's verifier used to confirm cross-chain transactions. Attackers ran a DDoS attack on uncompromised nodes, forcing a failover to poisoned ones that forged a valid cross-chain message. This allowed the Kelp bridge to release 116,500 rsETH to the attackers. The malicious software then self-destructed, wiping traces. No protocol-wide vulnerability existed — only Kelp's configuration was at fault.
The Numbers
The exploit drained $290 million worth of rsETH, with 116,500 tokens transferred to attacker-controlled addresses. Two RPC nodes were compromised during an 80-minute DDoS window between 10:20 a.m. and 11:40 a.m. PT on April 18, 2026. LayerZero confirmed zero contagion: every application running a multi-verifier setup remained untouched. The compromised nodes continued reporting accurate data to other systems, masking the attack from monitoring infrastructure.
Why It Happened
Kelp operated a 1-of-1 verifier model, relying solely on LayerZero Labs to validate messages — a configuration that LayerZero's integration checklist explicitly warned against. Despite recommendations for a multi-verifier setup with redundancy, Kelp ignored the guidance. The attackers exploited this by targeting the infrastructure layer, poisoning RPC feeds to forge a single verifier's data. A distributed consensus would have prevented the attack. LayerZero's protocol functioned as designed, leaving Kelp's isolated security choice as the root cause.
Broader Impact
The incident forces a protocol-wide reckoning. LayerZero will no longer sign messages for any application running a 1-of-1 configuration, mandating migration to multi-verifier setups. This raises the bar for DeFi bridge security and signals that infrastructure-layer attacks by sophisticated groups like Lazarus are an escalating threat. Kelp's loss may accelerate adoption of hardened verification standards across restaking protocols.
What to Watch Next
- Kelp DAO's official response and any recovery plans for affected users.
- Other protocols on LayerZero migrating off single-verifier setups — potential disruptions or security upgrades.
- Lazarus Group's adaptation: more infrastructure-targeted attacks on DeFi bridges.
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
