Interoperability protocol LayerZero says an insecure configuration tied to Kelp’s decentralized verifier network (DVN) allowed attackers to steal roughly $290 million from Kelp DAO, and that early indicators point to North Korea-linked threat actors.
An exploiter drained about 116,500 Restaked ETH (rsETH), valued at up to $293 million at the time, from Kelp DAO’s LayerZero-powered rsETH bridge on Saturday. LayerZero said the root cause was a single point of failure in Kelp’s setup: Kelp relied on a 1/1 DVN configuration using only the LayerZero Labs DVN as the verified path, despite LayerZero and others recommending DVN diversification.
LayerZero framed the incident as an unsafe application configuration rather than a compromise of LayerZero itself and urged all apps using 1/1 DVN setups to migrate to multi-DVN configurations. The company said it will stop signing or attesting messages for applications that continue to use single-verifier designs.
The exploit rapidly prompted debate over who should bear the losses — Kelp DAO, LayerZero, Aave, or rsETH holders — as the attacker used the stolen rsETH as collateral on Aave to borrow real liquidity. Aave’s total value locked (TVL) dropped by about $8.9 billion to roughly $17.5 billion after the attacker borrowed funds, leaving around $195 million in bad debt and triggering withdrawals on the lending protocol. Aave said it immediately froze all rsETH in Aave v3 and v4 to prevent further damage; its own smart contracts were not exploited.
With no recovery or compensation plan announced, industry voices suggested several remedies. OneKey founder Yishi Wang recommended negotiating with the hacker and offering a 10–15% bounty to recover most funds, or otherwise having LayerZero’s ecosystem fund absorb the bulk of losses given its resources, while Kelp DAO could make up shortfalls via tokens, future revenue, or a sale. DeFiLlama’s founder 0xngmi outlined options including socializing losses across users, seizing rsETH on L2s, or attempting to restore holder balances to a pre-hack snapshot — a difficult route.
Beyond immediate losses, the exploit raised systemic concerns. Reduced ETH liquidity on Aave created illiquidity risk for Ether collateral, with observers warning that a 15–20% ETH price drop could trigger significant additional bad debt because liquidations may not be executable at current utilization levels. Analysts stressed that illiquidity amplifies protocol-level risks even if core contracts remain secure.
LayerZero emphasized the need for multi-DVN verification and warned that applications persisting with single-verifier configurations would no longer receive signatures or attestation. Cointelegraph reached out to Aave for comment but had not received a response by publication.
The incident highlights the cascading effects of cross-chain bridge failures: a configuration error in one project can propagate into major lending markets, forcing rapid risk responses and raising difficult questions about responsibility and remediation in decentralized ecosystems.