BroadChain, April 24, 04:16 - Kelp DAO's rsETH cross-chain bridge, based on LayerZero, was breached in the early hours of April 19, with 116,500 rsETH (approximately $292 million) flowing out of the mainnet without corresponding burn records. The attacker bypassed the lzReceive verification logic and forged cross-chain messages to directly trigger reserve releases. Within an hour, Kelp paused the contract, but if subsequent follow-up attacks had succeeded, total losses would have reached $391 million.
The root cause of this attack lies in Kelp's adoption of LayerZero's weakest security configuration—1/1 DVN, meaning a single validator signature is sufficient for approval. Shalev Keren, co-founder of cryptographic security firm Sodot, pointed out that this is a "single point of failure" that cannot be fixed through audits. As early as January 2025, a team had reminded the Aave governance forum to expand to multi-DVN verification, but it was not implemented after 15 months. LayerZero later stated that it had repeatedly urged upgrades and announced the cessation of message approval for single-validator applications.
The attacker deposited the stolen rsETH into lending platforms such as Aave and Compound, borrowing over $236 million in real assets. After Aave froze the market, it triggered a withdrawal wave exceeding $10 billion, with at least nine protocols, including Fluid, Upshift, and Lido Earn, initiating emergency responses. SparkLend had already delisted rsETH in January 2026, highlighting the industry's divergent risk perceptions regarding LRT-type assets.
LayerZero attributed the attack to North Korea's Lazarus Group, but Cyvers did not follow this conclusion due to the malicious node software automatically clearing traces, making forensic investigation difficult. These two incidents (including the Drift Protocol loss of $285 million three weeks ago) indicate that DeFi's existing security framework can no longer cope with current threats. The industry needs systematic upgrades in protocol design, collateral risk control, operational security, and intelligence sharing.