LayerZero says a flawed setup tied to Kelp DAO’s decentralized verifier network (DVN) enabled attackers to steal roughly $290 million, with early indicators suggesting possible links to North Korea-backed actors.
The attacker drained about 116,500 rsETH — valued between $292 million and $293 million at the time — from Kelp DAO’s LayerZero-powered bridge on Saturday.
LayerZero said the breach resulted from a single point of failure in Kelp’s configuration, which relied on just one DVN as the sole verification path, despite prior warnings against using such a setup.
“LayerZero and other external parties previously communicated best practices around DVN diversification to KelpDAO. Despite these recommendations, KelpDAO chose to utilize a 1/1 DVN configuration.”
In effect, the setup meant Kelp DAO relied on a single verification path for cross-chain messages instead of requiring multiple independent checks.
The exploit quickly shifted focus from the technical flaw to who should bear the losses, as the fallout spread to Aave, where the attacker used the stolen rsETH as collateral to borrow actual liquidity.
Aave’s total value locked (TVL) has since dropped by roughly $8.9 billion to around $17.5 billion, after the exploit left about $195 million in bad debt and triggered a wave of withdrawals across the lending protocol.
LayerZero said Kelp DAO’s rsETH bridge depended solely on a single LayerZero Labs DVN, stressing that the breach stemmed from an unsafe application setup rather than a flaw in LayerZero itself. The firm added it is urging projects using one-of-one DVN configurations to migrate to multi-verifier setups and will stop signing or attesting messages for applications that continue using a single verifier.
Blame debate intensifies after $290M exploit
With no recovery or компенсаtion plan announced, the crypto community spent Monday debating who should ultimately absorb the losses — whether Kelp DAO, LayerZero, Aave or rsETH holders.
Yishi Wang, founder of OneKey, suggested negotiating with the attacker as the most practical path, proposing a 10%–15% bounty to recover the majority of the funds.
“If negotiations fail, LayerZero’s ecosystem fund should cover most of the losses — it has the deepest pockets and the most long-term skin in the game,” Wang wrote, adding that Kelp DAO may need to compensate users through tokens, future revenue, or even consider a sale.
Meanwhile, DeFiLlama’s pseudonymous founder 0xngmi outlined three possible approaches: distributing losses across users, forcing losses onto rsETH holders on layer-2 networks, or attempting to restore balances to a pre-hack state — though he noted the latter would be extremely difficult to execute.
Exploit raises liquidation risks for Aave
Investor anxiety following the Kelp DAO exploit has sharply reduced Ethereum (ETH) liquidity on Aave, where it serves as a key form of collateral.
The drop in liquidity creates a “critical safety risk,” as liquidations of ETH-backed positions may not be possible while markets remain at 100% utilization, according to MoneySupply, head of strategy at Spark Protocol.
He warned that under current illiquid conditions, a 15–20% decline in ETH prices could trigger substantial additional bad debt — on top of the losses already linked to the rsETH exploit.
Aave said it promptly froze all rsETH markets across its v3 and v4 deployments to contain the impact and prevent further damage, adding that its own smart contracts were not compromised in the incident.
