LayerZero says an insecure configuration in Kelp DAO’s verifier setup enabled an attacker to drain roughly 116,500 rsETH — around $290–293 million at the time — from Kelp’s LayerZero-powered rsETH bridge. The company indicated early indicators point to a North Korea-linked threat actor.
According to LayerZero, the exploit stemmed from a single point of failure in Kelp’s decentralized verifier network (DVN) configuration. Kelp relied on a 1/1 DVN that used only the LayerZero Labs DVN as the verified path, despite recommendations from LayerZero and others to diversify verifiers. LayerZero characterized the incident as an unsafe application setup, not a compromise of LayerZero’s core protocol, and urged projects using 1/1 DVN arrangements to migrate to multi-DVN designs.
LayerZero warned it will stop signing or attesting messages for applications that continue to operate with single-verifier configurations.
The stolen rsETH was used as collateral on Aave to borrow real liquidity, triggering a sharp market response. Aave’s total value locked (TVL) fell by about $8.9 billion to roughly $17.5 billion after the attacker’s actions. The protocol reported about $195 million in bad debt resulting from the incident and froze all rsETH positions on Aave v3 and v4 to prevent further damage. Aave stressed its own smart contracts were not exploited.
No recovery or compensation plan has been announced. Industry participants have proposed several paths. OneKey founder Yishi Wang suggested negotiating with the hacker and offering a 10–15% bounty to recover most funds, or having LayerZero’s ecosystem fund absorb the bulk of losses while Kelp DAO covers shortfalls through token issuance, future revenue, or a sale. DeFiLlama founder 0xngmi outlined alternatives including socializing losses across users, seizing rsETH on L2s where it may be held, or attempting to restore holder balances to a pre-hack snapshot — an approach both technically and politically difficult.
Beyond the headline loss, observers warned of systemic effects. The large removal of ETH liquidity on Aave raised illiquidity risk for Ether-backed positions: analysts cautioned that a 15–20% drop in ETH price could produce significant additional bad debt because liquidations might not be executable at current utilization levels. The incident highlighted how reduced liquidity can amplify protocol-level risk even when core contracts remain intact.
LayerZero reiterated the importance of multi-DVN verification and said it would no longer provide signatures or attestations to applications persisting with single-verifier designs. Cointelegraph reached out to Aave for comment but had not received a response at publication.
The episode underscores how a configuration error in one cross-chain application can cascade into major lending markets, forcing hurried risk responses and sparking difficult questions about who bears responsibility and how decentralized ecosystems should remediate large losses.