In this report:

• What happened at KelpDAO 
• Why this attack stands out
• Who is to blame
• How the fallout spread through DeFi 
• What changes from here

Disclaimer: This is not financial or investment advice. You are responsible for any capital-related decisions you make, and only you are accountable for the results.

---

What Happened?

Here are some basics before we dive in: KelpDAO is a liquid restaking protocol built on EigenLayer. Users deposit ETH, Kelp restakes it, depositors receive rsETH as a liquid claim on their position and earn additional yield compared to normal staking. 

By April, rsETH had crossed $1B in TVL and was integrated as collateral across Aave, Compound, Euler, and dozens of yield venues before a hacker drained $292m. The core restaking product, EigenLayer delegations, and mainnet rsETH backing all remain intact. What broke was the cross-chain bridge that moved rsETH between Ethereum and other networks.

KelpDAO uses a LayerZero OFT adapter to move rsETH across roughly 20 L2s and sidechains through a lock-and-mint mechanism: rsETH is locked in an escrow contract on Ethereum, and a matching amount is minted on the destination chain. On Saturday at 17:35 UTC, a forged inbound packet claiming to originate from Unichain was verified by a single DVN (Decentralized Verifier Network), the verifier layer responsible for confirming cross-chain messages, with no corresponding burn on the source chain. The adapter released 116,500 rsETH from escrow in a single block, dropping the adapter balance from 116,723 rsETH to 223.

A second forged packet for another 40,000 rsETH was later attempted, but by that point, KelpDAO’s emergency multisig had already paused the relevant address and contracts. The initial drain happened at 17:35 UTC, Kelp intervened at roughly 18:21 UTC, and the follow-up attempts around 18:26 and 18:28 UTC both reverted. That intervention stopped any further release of funds. The 40,373 rsETH now sitting in the adapter is the only confirmed backing for 152,577 rsETH minted across remote chains, leaving roughly 112,204 rsETH unbacked.  

Interestingly, rather than dumping the stolen rsETH into DEX liquidity, the attacker posted 89,567 rsETH as collateral across Aave V3 on Ethereum and Arbitrum, then borrowed more than $190M in WETH and $2.3M in wstETH across seven addresses. There was not enough liquidity to absorb a direct sale of that size. By borrowing against the position instead, the attacker could extract far more value in assets that were much easier to move, swap, bridge, and eventually launder. 

The positions were opened at health factors between 1.01 and 1.03, meaning the maximum possible amount was pulled out against the collateral. A portion of the borrowed funds was then routed through Tornado Cash. That is what turned a bridge exploit into a system-wide liquidity event.

Who is Lazarus, and Why Does that Matter

LayerZero’s incident statement attributes the attack to TraderTraitor, a cryptocurrency-focused subgroup of North Korea’s Lazarus Group. This is the same operation behind the $1.5b Bybit hack, the $625m Ronin bridge drain, and over $7.3b in confirmed or attributed stolen assets going back to 2009. The U.S. Treasury sanctioned them in 2022, and they have only accelerated since.

What makes this attack different from earlier Lazarus operations is how it was carried out. Previous exploits often relied on social engineering, compromised private keys, or vulnerabilities in smart contracts. Here, the attackers targeted the RPC infrastructure that LayerZero’s verifier relied on to confirm transactions. In simple terms, these are the servers that critical infrastructure relies on to check what is true onchain. 

According to LayerZero’s post-mortem, the attackers compromised two independent RPC servers, replaced the software running on them with malicious versions, and built a setup that fed false data to the verifier while reporting truthful data to every other requester, including LayerZero’s own monitoring tools. They then DDoS’d the remaining clean RPC servers to force failover onto the compromised ones. Once the forged packet went through, the malicious software deleted itself along with its logs and configuration files.

The broader implication is hard to ignore. RPC verification sits underneath much of crypto’s infrastructure, from bridges to exchanges to oracles. 

In plain English, the safety is supposed to come from having multiple independent checkers confirm the same cross-chain message, so one compromised verifier cannot move funds on its own. KelpDAO did not have that protection. One verifier path was enough, and as we will see in the next section, it was far from the only protocol running with that kind of fragility.

So, Who is to Blame 

Responsibility here is shared, but not evenly. In the days since the exploit, KelpDAO, LayerZero, and Aave have each released statements that are technically defensible in isolation. Taken together, they still leave users with frozen markets, trapped liquidity, and no clear path to resolution.

KelpDAO bears the largest share of the blame. Its bridge was configured with a single verifier, operated by LayerZero Labs, with no backup. A billion-dollar asset was ultimately protected by one point of failure (Quite common in DeFi btw). LayerZero’s own documentation recommends multi-verifier setups for applications handling meaningful value, and that recommendation was ignored.

LayerZero can correctly say its modular architecture contained the blast radius to a single application. But LayerZero also permitted single-verifier setups as valid production configurations, and its own supporting infrastructure was what got compromised. More importantly, KelpDAO was far from an outlier. 

According to a Dune analysis published after the exploit, 47% of roughly 2,665 active OApp contracts on LayerZero were running a single-verifier security floor. Nearly half the ecosystem was relying on the same kind of fragility. LayerZero has now said it will no longer sign for single-verifier applications going forward, which is a policy that should have existed long before $292m walked out the door.

Aave acted swiftly, freezing rsETH across all 11 deployments, setting LTV to zero, and adjusting interest rate models to mitigate the stress. However, Aave's acceptance of rsETH as deep collateral in its main pools meant that a single external bridge failure could rapidly generate over $190 million in bad debt. While the exploit was not Aave's fault, its risk framework allowed an external failure to become an internal solvency and liquidity issue.

The potential bad debt figures highlight the seriousness of the situation. According to LlamaRisk, if KelpDAO socializes the loss across all rsETH holders regardless of the chain, Aave's total bad debt would be around $124 million. Conversely, if mainnet rsETH remains fully backed and L2 holders absorb the loss alone, the debt jumps to $230 million, with Mantle facing a 71% shortfall on its WETH reserve, Arbitrum at 27%, and Ink at 18%. 

In other words, the same exploit and the same on-chain facts could still lead to two radically different outcomes, depending entirely on a single policy decision that KelpDAO has yet to make.

The broader industry shares blame, too. DeFi still treats security as something that lives inside audited smart contracts, while deployment configuration, bridge assumptions, and offchain infrastructure are treated like implementation details. 

That is a dangerous mistake, because those so-called details were the actual point of failure in this case. The lesson is bigger than Kelp, LayerZero, or Aave. The industry needs shared safety standards, configuration audits as a real discipline, and coordinated risk management across protocols instead of finger-pointing after the fact.

Secondary Risk & Contagion

The direct bad debt is contained to rsETH-backed positions, but the crisis exposed a gap between “backed” and “withdrawable” that affects everyone. Every protocol involved can point to some version of technical soundness, and yet users who deposited stablecoins into what was supposed to be the safest lending market in DeFi still found themselves unable to access their funds.

Within 85 minutes of the exploit, Aave saw $1.95b in net outflows in a single hour. Cumulative outflows over the following 96 hours reached $11.83b across all chains and asset types.

Once Aave froze WETH across Ethereum, Arbitrum, Base, Mantle, and Linea, and utilization on key reserves pushed toward 100%, every strategy, vault, and protocol that relied on Aave’s ETH lending as core infrastructure came under stress. ETH suppliers could no longer exit through the normal route, so they started pulling stablecoins instead to reduce their net exposure. That pushed USDC and USDT utilization toward 100% on markets that had nothing to do with the original exploit.

Stablecoin borrowers using ETH collateral could not unwind because their ETH was also frozen. The normal mechanism that keeps lending markets healthy, where high borrowing rates force repayment and free up liquidity, stopped functioning. Aave’s recent slope2 changes, capping maximum borrow rates, only made the situation worse by removing the ceiling that would normally force more urgent deleveraging.

External escape hatches appeared quickly, which says a lot about how badly the normal market function had broken down. Fluid launched an aWETH redemption route into wstETH and weETH, while 1inch extended that path further by letting stuck lenders route aEthWETH into a wider range of assets. Neither restored normal Aave withdrawals nor fixed the underlying reserve imbalance. They were workarounds built on top of a market that had already stopped functioning properly.

Two dangerous dynamics emerged from there. ETH holders could not rebalance to maintain healthy loan-to-value ratios through the normal market mechanism, and liquidators could not cleanly receive underlying WETH because the reserve had effectively no idle liquidity left, meaning an ETH price drop from there could create bad debt entirely unrelated to rsETH. 

At the same time, the stress was no longer isolated to rsETH-linked positions. Funding pressure had already spread into other looped strategies across the system, and Aave’s total TVL fell by roughly 35% from the post-exploit peak.

The damage did not stop at Aave itself. Lido’s EarnETH vault carries roughly $21.6m of direct rsETH exposure through a levered position on Aave, about 9% of the vault, against a first-loss protection mechanism sized at just $3m. Ethena has approximately $270m in USDT stuck on Aave Mantle. sUSDe has slightly depegged. Curators across the ecosystem have already started pulling allocations from Aave preemptively.

The LayerZero issue added another layer of stress across the ecosystem. As a precaution, all LayerZero OFT transfers were halted, including Tether’s USDT0. LayerZero may be technically correct in claiming “zero contagion” at the smart contract level, but the market still had to reassess the reliability of the rail itself. Once that happens, every protocol built on top of it feels the fallout, whether or not it was directly compromised.

The story then took an even more revealing turn when Arbitrum’s Security Council intervened directly. On April 20, the Council froze 30,766 ETH, roughly $71M, tied to the exploiter on Arbitrum One and moved the funds to a governance-controlled address through a privileged state-level override executed by a 9-of-12 multisig. 

The mechanism involved an emergency upgrade to the Inbox contract, a temporary function that impersonated the exploiter’s address in a cross-chain transaction, and a restoration of the original contract afterwards, something that had never been used in production on any major L2.

Decentralization purists will have opinions. Under the circumstances, it was the right call. The Security Council acted with law enforcement input and through governance-defined emergency powers, and the attacker’s reaction was revealing. Once the freeze went through, the remaining funds began moving through THORChain, which saw volume spike roughly 10x normal as ETH was routed into BTC through privacy-preserving paths. They were clearly caught off guard, which suggests that coordinated defensive action across chains may be more powerful than most people realized.

The attacker has since laundered approximately $80M worth of ETH, mostly through THORChain, which earned roughly $456K in fees over a 24-hour period on $394M in swap volume. For context, THORChain’s usual daily volume sits between $10M and $35M. The same laundering pattern played out after the Bybit hack in 2025. THORChain’s official response has been to maintain its “permissionless and censorship-resistant” stance, stressing that there is no admin key and no multisig capable of freezing funds. 

At the same time, THORChain published a thread arguing that bridge-based trust models are structurally fragile and that native asset swaps are the only way to eliminate that attack surface. The critique is not wrong. It just landed awkwardly while THORChain was serving as the main laundering venue for the stolen funds.

Cryptonary's Take

We still believe DeFi is the future of finance, and that conviction is exactly why this situation is so frustrating. The problem is not just bridges, and it is not just one exploit category. Too much value in this industry still ends up depending on one fragile point somewhere in the stack, whether that is a verifier, an admin key, a signer, a committee, or a person who should never have that much power in the first place. That is the common thread across too many of these blowups. The industry has spent years optimizing growth, integrations, and headline TVL while leaving too many of those weak points in place. That has to change before the next crisis, not after it.

The damage this week goes beyond the dollars lost. If the venue that many people viewed as the safest place in DeFi can end up with frozen exits, trapped liquidity, and an unresolved dispute over who absorbs the loss, then the risk-reward for passive capital starts to look far less compelling. “Just use Aave” used to be the default answer for anyone looking for relatively safe, relatively simple DeFi yield. After this week, that reputation has taken a real hit, and pretending otherwise would be dishonest.

The threat environment is also getting worse faster than most protocols are adapting. Tools that can scan code, test assumptions, and surface hidden exploit paths are improving quickly. Today, they are being introduced as defensive research tools. Over time, similar capabilities will spread far more widely, and attackers will use them too. Every contract is public, every integration path is visible, and every shortcut will eventually be tested by someone with enough time, capital, or automation on their side. Protocols no longer have the luxury of assuming complexity will protect them.

We are still in DeFi, but we are being far more selective about where we deploy capital. Our current posture is a maximum of 5 to 10% of net worth in any single protocol, with a strong preference for battle-tested platforms that generate real revenue and have demonstrated they can respond well under pressure.

For those caught in this situation, the practical takeaway depends on where the exposure sits. Stablecoin and BTC suppliers in unaffected markets appear to be dealing with a liquidity squeeze rather than a permanent impairment of collateral, which means patience is likely the better trade than accepting steep discounts. ETH suppliers on Aave should avoid panic decisions in stressed secondary liquidity, because the outcome still depends on how the hole is ultimately handled, and there are still multiple paths to resolution. The situations that look most fragile remain wrsETH on L2s and leveraged rsETH loops, where the margin for error is much thinner.

Going forward, the threshold for deploying capital needs to be higher, but the burden cannot sit on users alone. Most people are not going to reverse-engineer bridge stacks, verifier models, and deployment configurations before making a deposit, and they should not have to. Protocols, risk teams, and interfaces need to make those risks far more visible upfront. Until that happens, users should assume that extra complexity deserves smaller sizing, wider diversification, and a much higher bar for trust.

DeFi will still win the long game. Open, programmable, permissionless capital markets remain the future, and that belief is why we build here. But the version of DeFi that wins will be harder, simpler where it matters, and far less tolerant of hidden single points of failure. Until then, protect your capital, size positions conservatively, and do not chase basis points that do not compensate for the tail risk.

Further reading: we also published a practical guide earlier this year on scams, wallet safety, and basic operational hygiene. After a week like this, it is worth revisiting.

Cryptonary, OUT!