LayerZero has blamed North Korea–backed Lazarus Group for the $292 million exploit of Kelp DAO, the largest decentralized finance (DeFi) hack reported so far in 2026.
The April 18 incident saw 116,500 rsETH tokens illegitimately created and then funneled into Aave, triggering bad debt risks across one of DeFi’s biggest lending markets and shaking confidence across the broader sector.
How the attack unfolded
LayerZero’s post-mortem found that the attacker infiltrated LayerZero Labs’ Decentralized Verifier Network (DVN) by compromising remote procedure call (RPC) nodes:
- Two RPC nodes were taken over and used to generate fake cross-chain messages.
- Clean nodes were simultaneously knocked offline through a distributed denial-of-service (DDoS) attack.
Kelp DAO had configured its DVN with a 1-of-1 verifier — a single, non-redundant validator for cross-chain messages. This design created a solitary point of failure. Once the attacker controlled the compromised node, a counterfeit message passed verification, unlocking and minting rsETH that should not have existed.
LayerZero said the issue was specific to this single-verifier setup. Applications using multi-verifier configurations remained operational and were not affected.
Immediate response from LayerZero
Following the exploit, LayerZero:
- Confirmed no cross-contamination of assets in other applications using multi-verifier DVNs.
- Suspended message signing for any projects that use a similar single-verifier architecture.
- Began working with law enforcement to trace the stolen funds and support ongoing investigations.
The firm is accelerating migration of affected projects to more resilient multi-DVN models and has halted support for the vulnerable 1-of-1 configuration.
Aave hit with potential bad debt
Instead of selling the illegitimately minted rsETH, the attacker moved to Aave, using the tokens as collateral:
- The exploiter deposited the stolen rsETH into Aave V3.
- They then borrowed around $236 million in Wrapped Ether (WETH) against that collateral.
Because the underlying rsETH collateral was effectively worthless, this maneuver created an estimated $177 million to $236 million in potential bad debt on Aave.
In response, Aave:
- Froze rsETH markets across its latest versions to limit further exposure.
- Confirmed it will evaluate measures to address any realized deficit arising from the event.
Outflows and shock across defi
The exploit quickly triggered heavy withdrawals and broader market stress:
- Blockchain data shows Aave’s total assets supplied fell to $35.7 billion from $45.8 billion shortly after the incident.
- Over the following two days, one dataset recorded Aave’s total value locked (TVL) shrinking by $8.45 billion to about $17.95 billion, as users rushed to reduce exposure.
The native AAVE token dropped nearly 20% in the 25 hours after news of the exploit and emerging bad debt risk.
The shock spread to other platforms:
- Multiple DeFi protocols, including Ethena, ether.fi, Tron DAO, and Curve Finance, paused their omnichain bridge operations as a precaution.
- DefiLlama data showed DeFi-wide TVL falling around 7% within 24 hours, from $99.5 billion to $86.3 billion.
- Broader lending platforms also saw pressure, with Morpho alone logging roughly $716 million in outflows.
Systemic impact and architecture risk
Analysts say the incident highlights two intertwined vulnerabilities:
- Concentrated technical dependencies, such as a single verifier in a cross-chain messaging system.
- The systemic risk created when compromised or fictitious collateral is routed into major money markets like Aave.
By using fake rsETH to borrow real, high-liquidity assets such as WETH, the attacker transformed a protocol-level failure at Kelp DAO into a sector-wide credit event.
Attention has since focused on cross-chain messaging security. LayerZero emphasized that:
- Applications using multi-verifier DVNs were insulated from the specific exploit path used in this attack.
- The company has suspended support for single-verifier architectures and is pushing a rapid transition to multi-DVN deployments.
Lazarus Group attribution and rising losses
LayerZero attributed the exploit to Lazarus Group, a North Korean state-sponsored hacking organization widely linked to previous large-scale crypto thefts.
This incident helped make April 2026 the highest month for stolen value since February 2025:
- Total losses from exploits in April have exceeded $606 million.
- Lazarus Group alone was associated with more than $2 billion in crypto theft during 2025.
The continuing investigation is now focused on tracking the movement of funds, mapping any further exposure across connected DeFi systems, and assessing whether additional protocols may share similar architectural vulnerabilities.
Concerned about hacks like Lazarus’ $292M attack? Learn key protection steps in crypto safety standards every trader should know today.
Disclaimer: The content on this page is provided for general informational purposes only and does not represent the views or financial advice of Toobit. We make no guarantees regarding the accuracy or completeness of this information and shall not be held liable for any errors, omissions, or outcomes resulting from its use. Investing in digital assets involves risk; users should independently evaluate their financial situation and the risks involved. For further details, please consult our Terms of Service and Risk Disclosure.
