Relay_Station / Zone_39
TECH
20.04.2026
Kelp DeFi Protocol Suffers $290 Million Exploit, LayerZero Cites Bridge Misconfiguration
Blockchain security firms initially flagged the outflow of approximately 116,500 rsETH from the Kelp platform on Saturday afternoon. Kelp subsequently paused all activity to launch an immediate investigation. By early Monday, LayerZero published a detailed post-mortem analysis, identifying North Korea's TraderTraitor group, an arm of the notorious Lazarus operation, as the likely perpetrators.
The core vulnerability stemmed from Kelp’s reliance on a single-verifier (1-of-1 DVN) setup for its cross-chain bridge, a configuration LayerZero explicitly advises against. LayerZero's architecture is designed around multiple independent DVNs to verify messages sent across blockchains, preventing any single point of failure. Kelp's decision to use only LayerZero's DVN as its sole verifier meant there was no independent redundancy to detect and reject a forged cross-chain message, enabling the attackers to manipulate downstream infrastructure.
Attackers exploited this weakness by submitting invalid cross-chain messages that were erroneously accepted as legitimate. This allowed them to drain rsETH from the protocol without directly compromising Kelp's smart contracts. The sophisticated tactics included a distributed denial-of-service (DDoS) attack on backup systems that might have otherwise halted the theft, and the use of tools built to self-destruct post-heist.
Following the successful exploit, the stolen rsETH tokens were moved into various decentralized lending platforms, including Aave. The attackers used these fictitious tokens as collateral to borrow over $200 million in real Ether and stablecoins. This action exposed lending protocols to significant potential bad debt, prompting immediate market responses such as freezing rsETH markets and reducing exposure limits across several platforms.
LayerZero’s post-mortem emphasized that its core protocol was not compromised, reiterating that the incident was a direct consequence of Kelp’s non-compliant bridge configuration. The company has consistently advocated for a multi-DVN model, citing it as an industry best practice for achieving diversity and redundancy in cross-chain asset transfers. Protocols adhering to this multi-verifier model remained unaffected.
This incident highlights a critical shift in DeFi risk, where vulnerabilities are increasingly emerging not from smart contract code directly, but from the complex infrastructure connecting disparate blockchains. The $290 million loss underscores the systemic risks inherent in interconnected lending protocols when bridge verification mechanisms are weak.
While LayerZero's explanation places accountability squarely on Kelp's integration choices, the incident forces a broader reevaluation of responsibility in the Web3 ecosystem. If infrastructure providers offer robust, multi-layered security solutions, but integrators opt for less secure configurations against explicit recommendations, where does the industry draw the line between developer freedom and enforced security standards to prevent such massive capital losses?
Signals elevate this to HOT_INTEL priority.
// Related_Intel
More_Signals
‹ Return_to_Terminal
Traffic_Nodes
0
Mobile_Relay / Zone_37