Close Menu
    Home / About / Advertise / Contact
    News

    Kelp DAO Suffers $290M Loss in DeFi Breach Attributed to Lazarus Group and Weak Security

    Trader EdgeBy No Comments4 Mins Read

    Key Takeaways

    • A sophisticated attack drained approximately $290–293 million from Kelp DAO after hackers infiltrated RPC nodes controlling LayerZero’s verification system
    • LayerZero claims Kelp DAO disregarded repeated security recommendations to implement multiple verifiers, instead operating with a vulnerable single-verifier architecture
    • Preliminary forensic analysis points to North Korea’s notorious Lazarus Group as the perpetrators
    • The breach created ripple effects across at least nine DeFi platforms, with Aave experiencing roughly $6 billion in asset outflows
    • LayerZero has declared it will discontinue support for any protocol maintaining single-verifier configurations

    In what stands as one of 2026’s most devastating decentralized finance breaches, Kelp DAO fell victim to a sophisticated exploit that siphoned approximately $290–293 million from the liquid restaking platform over the weekend. LayerZero, the cross-chain messaging protocol whose infrastructure facilitated the attack, has pointed directly to Kelp’s security architecture as the primary vulnerability.

    The compromise centered on Kelp’s mechanism for transferring its rsETH token across different blockchain networks. Operating with a single-verifier architecture meant only one entity needed to validate cross-chain transfers. According to LayerZero, the company had explicitly cautioned Kelp against this configuration and urged the implementation of multiple independent verification sources.

    The threat actors infiltrated a pair of remote procedure call nodes—specialized servers that facilitate blockchain data interactions. These legitimate nodes were secretly replaced with compromised versions that transmitted fraudulent data to LayerZero’s verification system while maintaining normal appearances to all other infrastructure.

    Since LayerZero’s verifier cross-referenced additional uncompromised external nodes, the attackers launched a coordinated distributed denial-of-service assault to disable those backup systems. This maneuver redirected all traffic through the corrupted nodes during a critical 80-minute window from 10:20 a.m. to 11:40 a.m. Pacific Time on Saturday.

    When the failover mechanism activated, the compromised infrastructure convinced the verifier that a legitimate transaction had occurred. Kelp’s bridge subsequently released 116,500 rsETH tokens to the attackers’ wallets. Following the successful exploit, the malicious code automatically erased itself, eliminating forensic evidence from the compromised servers.

    Cascading Effects Throughout the DeFi Ecosystem

    The stolen rsETH tokens were strategically deployed as collateral across multiple lending platforms to extract genuine digital assets. Aave, the dominant player in decentralized lending, bore the brunt of the damage.

    Aave found itself holding rsETH tokens with severely compromised liquidity while valuable assets like ETH had already been withdrawn from the platform. The protocol’s native token plummeted approximately 15% within 24 hours, and Aave witnessed roughly $6 billion in total value locked evaporate as panicked users withdrew their funds.

    Beyond Aave, at least nine additional DeFi protocols sustained collateral damage, including Fluid, Compound Finance, SparkLend, and Euler. Blockchain security firm Cyvers characterized the incident as a “cross-protocol contagion event” rather than a contained breach.

    LayerZero has identified North Korea’s Lazarus Group and its TraderTraitor subdivision as the likely culprits with preliminary certainty. This same threat actor was implicated in the $285 million Drift Protocol compromise on April 1, indicating Lazarus has extracted over $575 million from DeFi platforms within just 18 days using distinct attack vectors.

    Industry Response and Future Implications

    LayerZero reports no evidence of compromise spreading to applications utilizing multi-verifier security configurations. The company has restored its verifier to operational status and publicly announced it will refuse to process messages for any project operating single-verifier setups moving forward.

    Curve Finance founder Michael Egorov highlighted the incident as a stark illustration of the dangers inherent in relying on singular verification authorities. He further advised the DeFi community to minimize cross-chain infrastructure usage unless strictly essential.

    Ledger CTO Charles Guillemet predicted 2026 will “most likely be the worst year in terms of hacks.” First-quarter crypto exploit losses have already surpassed $482 million in 2026.

    Kelp has remained silent regarding LayerZero’s version of events and has not provided public explanation for maintaining the single-verifier configuration despite receiving explicit security warnings.

    ✨ Limited Time Offer

    Get 3 Free Stock Ebooks

    Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.

    • Top 10 AI Stocks - Leading AI companies
    • Top 10 Crypto Stocks - Blockchain leaders
    • Top 10 Tech Stocks - Tech giants
    📥 Get Your Free Ebooks
    Free Stock Ebooks
    Share.

    📈 Futures & Crypto Trader 🔍 Sharing charts, strategies, & mindset tips to help you level up 🚨 Not Financial Advice Follow on X @Pro_Trader_Edge

    KO Stocks

    Related Posts

    Add A Comment

    Comments are closed.

    No KYC. 70% Rakeback & 10% Cashback, Exclusive Thrill Originals!