$292 Million KelpDAO Heist: How a Single-Verifier Configuration Exposed DeFi’s Critical Infrastructure Weakness

Key Highlights

The Attack: Lazarus Group drained $292M from KelpDAO using a compromised 1-of-1 DVN setup—a single point of failure that everyone knew about.
The Contagion: One hack triggered a $13.21B DeFi exodus in 48 hours. Aave lost $8.4B in deposits as panic spread across interconnected protocols.
The Known Risk: This vulnerability was flagged publicly in January 2025. 40% of LayerZero protocols still use the same dangerous default.
The Pattern: Lazarus has stolen $6.75B since 2022 by attacking infrastructure, not code. They’re patient, organized, and getting smarter.

On April 18, 2026, something went very wrong in crypto. Hackers stole $292 million from KelpDAO in just minutes. Now here’s the thing—this wasn’t a typical hack. They didn’t break any code. Instead, they exploited something much simpler: a basic configuration choice that thousands of people warned about.

The impact? Massive. Aave, the largest lending platform in crypto, lost $10 billion in deposits within 48 hours. Users panicked. The whole DeFi ecosystem shook. What started as one protocol’s problem became everyone’s problem.

We’ll walk you through what happened and why it matters for anyone in crypto.

What Was Stolen?

Attackers drained 116,500 rsETH tokens from KelpDAO’s bridge. That’s about 18% of all rsETH in circulation. At the time, this was worth roughly $292 million.

Here’s how KelpDAO works: users deposit their Ethereum (ETH) with the protocol. KelpDAO then puts that ETH into a staking service called EigenLayer to earn extra rewards. In return, users get rsETH—a token that represents their staked position. This setup lets them keep their money flexible while still earning staking rewards.

The stolen rsETH was sitting in a bridge. Bridges move tokens between different blockchains. This one used technology from LayerZero, a cross-chain messaging company.

Quick timeline:

Attack: April 18, 2026 at 17:35 UTC
How fast: Just minutes
What else happened: KelpDAO’s emergency system blocked a second attack trying to grab another $95 million

How Did They Actually Do This?

Here’s where it gets important. The attackers didn’t find a hole in KelpDAO’s code. They didn’t steal anyone’s password. Instead, they manipulated the infrastructure that KelpDAO relied on.

Let me break down the attack:

Step 1: They Compromised Two Computers

LayerZero’s bridge uses computers called RPC nodes. These nodes check whether transactions are real. Hackers got into two of LayerZero’s internal RPC nodes and replaced the software running on them with fake versions.

LayerZero explained what happened: “The attackers obtained the list of RPCs our DVN uses, gained access to two independent internal nodes running on separate clusters, and swapped out the software running them.”

Step 2: They Launched a DDoS Attack

At the same time, they flooded the legitimate backup computers with so much traffic that they couldn’t respond. The system needed a working computer to verify transactions. With the backup servers offline, it had only one choice: use the fake computers the hackers controlled.

Step 3: They Made a Fake Transaction Look Real

The fake computers sent a false message. They claimed rsETH was being burned on one blockchain. This never actually happened. But the verification system believed it because the computers it trusted were lying.

Chainalysis breaks down what really happened: “The system executed a correct transaction on top of a falsified view of reality.”

Step 4: The Bridge Released the Money

The bridge thought everything was fine. So it released 116,500 rsETH to the attacker’s wallet. The attacker now had $292 million.

Here’s the clever part: the fake computers were programmed to tell the truth to everyone except the verification system. LayerZero’s own monitoring tools saw normal activity. Even internal security systems didn’t catch it. That’s why it took time to notice the theft.

The Single Point of Failure

Now we get to the core issue.

KelpDAO set up its bridge with what’s called a “1-of-1 DVN configuration.” DVN stands for Decentralized Verifier Network. It’s the system that verifies whether transactions are legitimate.

Think of it this way: normally, you might have five security guards checking who enters a building. If one guard is bribed, the other four can stop them. A 1-of-1 DVN is like having only one security guard. If that one guard is compromised, everyone gets in.

LayerZero states plainly: “A properly hardened configuration would have required consensus across multiple independent DVNs, rendering this attack ineffective even in the event of any single DVN being compromised.“

Who’s Responsible?

And this is where it gets messy.

LayerZero and KelpDAO are pointing fingers at each other.

LayerZero’s Argument

LayerZero says KelpDAO chose a dangerous setup despite clear warnings. “LayerZero and other external parties previously communicated best practices around DVN diversification to KelpDAO. Despite these recommendations, KelpDAO chose to utilize a 1/1 DVN configuration,” LayerZero stated.

KelpDAO’s Response

KelpDAO fired back. They said LayerZero’s own documentation recommends the 1-of-1 setup.

Kelp DAO claims LayerZero’s 'default' settings are what actually caused the massive $290 million disaster, news from CoinDesk

According to CoinDesk reporting, “LayerZero’s own quickstart guide and default GitHub configuration point to a 1/1 DVN setup. The configuration Kelp ran also appears in LayerZero’s own V2 OApp Quickstart.”

The Real Problem

But here’s what makes this worse: this wasn’t even a secret. Back in January 2025—more than a year before the attack—a developer posted a warning on Aave’s governance forum. They said the 1-of-1 configuration was dangerous. A single hacked validator could drain the bridge.

Nobody fixed it.

And there’s more. About 40% of all LayerZero protocols use the same setup right now. So KelpDAO wasn’t an outlier. It was just following the default.

The Domino Effect: How One Bridge Broke DeFi

The $292 million theft was bad. But what came next was worse.

The attacker didn’t dump the stolen rsETH. Instead, they did something smarter. They deposited almost 90,000 rsETH into Aave as collateral. Then they borrowed about $190 million in real ETH and other assets.

See, Aave is DeFi’s largest lending platform. People deposit money there to earn interest. They also borrow against their deposits. And Aave’s system assumes the collateral is good. It wasn’t.

Users started panicking. If rsETH was fake, what else might be fake? People rushed to withdraw their money. This is what we call a bank run.

The Numbers

Aave’s TVL collapse:

Before the attack: $26.3 billion
After 48 hours: $17.9 billion
Loss: $8.4 billion

The broader DeFi impact:

Total DeFi TVL decline: $13.21 billion in just two days
Number of affected protocols: 20+
ETH borrowing rates on Aave: Hit 14% (normally around 3-4%)

Users couldn’t get their money out. ETH utilization hit 100% on Aave. There was literally nothing left to withdraw.

Multiple sources confirm the panic spread fast. Users took losses of 10-25% just to escape. They sold assets for 75 cents on the dollar just to get out.

Why It Spread So Fast

And here’s why: DeFi protocols aren’t isolated. They’re connected like blocks stacked on top of each other. If one block fails, everything above shakes.

rsETH was used as collateral across lending platforms. It was held in liquidity pools. It was part of yield strategies. So when rsETH became worthless, all those connections broke at once.

Here’s how experts put it: “Other platforms may treat a hacked asset as legitimate. That’s how contagion happens.”

Who Did This?

The stolen ETH was tracked leaving the ecosystem. The attacker converted it to Bitcoin. They moved it through various networks to hide the trail.

LayerZero points to one group: “Preliminary indicators suggest attribution to a highly sophisticated state actor, likely DPRK’s Lazarus Group, more specifically TraderTraitor.”

Who Is Lazarus Group?

Lazarus Group is North Korea’s state-backed hacking unit. They’ve been stealing crypto for years to fund North Korea’s weapons programs.

Look at their track record:

Attack	Year	Amount	Target
Ronin Bridge	March 2022	$625 million	Axie Infinity
Harmony Bridge	June 2022	$100 million	Cross-chain bridge
WazirX	July 2024	$235 million	Indian exchange
Bybit	February 2025	$1.5 billion	Crypto exchange
Drift Protocol	April 1, 2026	$285 million	Solana DEX
KelpDAO	April 18, 2026	$292 million	LayerZero bridge

Just in 2025, North Korean hackers stole $2.02 billion in cryptocurrency. Since 2022, they’ve stolen roughly $6.75 billion total.

And get this: UN estimates show these cyber operations account for about 40% of North Korea’s funding for weapons programs.

The Evolution of Their Tactics

Lazarus isn’t using the same playbook anymore. They’re not just looking for weak passwords or security holes in code. They’re targeting infrastructure itself.

North Korean Hackers Attack Drift Protocol In USD 285 Million Heist, news from TRM Blog

TRM Labs and other forensics firms found something interesting: they’re using patience and planning. For the Drift Protocol attack, they spent six months building relationships with the team. They created fake job offers, sent malicious documents, and then learned the system from inside.

For KelpDAO, they took a different approach. They compromised the underlying computers. No code bugs. No password theft. Just pure infrastructure control.

April 2026: Crypto’s Worst Month Since Bybit

And here’s the thing: the KelpDAO attack wasn’t alone.

Just 17 days earlier, hackers hit Drift Protocol on Solana. That cost $285 million in just 12 minutes.

Put these two together, and you get $577 million drained in less than three weeks.

DeFiLlama data shows April was brutal: 12 separate hacking incidents totaling $606 million in losses. That’s 3.7 times the total losses from the entire first quarter of 2026.

Both attacks had something in common: they targeted infrastructure, not code. The attackers used patient planning. They exploited human trust. They found the weakest point and attacked there.

What Happens Now?

The Recovery Effort

So major DeFi protocols are coordinating a rescue mission. It’s called “DeFi United.” The goal is to make rsETH whole again—to restore the value so the system doesn’t collapse.

Aave’s team explains it this way: “Aave and several major crypto firms are coordinating a recovery effort to stabilize decentralized finance (DeFi) markets after a $292 million exploit left the sector’s largest lender grappling with a large hole in collateral backing.”

Lido Finance, EtherFi, and others are offering to contribute ETH to cover the shortfall. The total hole is estimated at more than 112,000 rsETH—more than the original theft.

The Asset Freeze

Then the Arbitrum Security Council took emergency action. They froze about 30,766 ETH (worth roughly $71 million) on their network that was connected to the attacker’s wallet. This stops the attacker from moving those funds.

But here’s the catch: the attacker already moved about $175 million to new wallet addresses. Blockchain analysts are actively tracking the movement, but time matters in these situations.

LayerZero’s Forced Migration

Next, LayerZero made a major announcement. They will no longer sign messages for any application using a 1-of-1 DVN setup. This forces all protocols to upgrade their configuration.

Good news for security. Bad news for everyone else. Thousands of applications need to migrate. Plus, there’s a window where protocols are vulnerable during the upgrade.

Why This Matters for Everyone

The KelpDAO hack exposed something uncomfortable. The crypto industry’s biggest hacks aren’t just about finding bugs in code anymore.

They’re about:

Compromising infrastructure that everyone relies on
Social engineering to gain trust
Patience and planning over months
Exploiting what “everyone does” as default

Security experts spell it out: “The problem is structural, not just bugs or mistakes, and as long as bridges depend on complex systems with shared infrastructure and hidden trust assumptions, they will remain vulnerable.”

The Real Issue With “Just Add More Verifiers”

Some people say the fix is simple: just add more verifiers. Have 5 independent checks instead of 1. Problem solved, right?

Not quite.

Here’s what crypto researchers actually found: most verifiers read data from the same handful of sources. So if an attacker poisons those sources, they poison all verifiers at once.

“If five independent DVNs read from the same three RPC providers, an attacker who poisons those three RPCs will poison all five verifiers. If all your verifiers get fooled the same way at the same time, the math collapses back to 1-of-1. Five clones are not five witnesses.”

The real solution needs:

Independent data sources – Each verifier reads from different places
Different infrastructure – Not all on the same cloud service
Real redundancy – True independence, not just the look of it

What This Means for DeFi

Wall Street is paying attention. Jefferies, a major investment bank, warned that hacks of this scale could slow institutional interest in DeFi. Banks want to move money onto blockchain. But they need security that matches traditional finance.

Right now? DeFi doesn’t have that. A single misconfiguration can cost $292 million and break the whole system.

Key Lessons

For Users

Don’t assume big protocols are safe just because they’re big
Learn what you’re using before you deposit money
Know that contagion can hit protocols you trust due to problems elsewhere
Keep most assets in self-custody, not in protocols

For Protocols

Treat configuration as a security choice, not a technical detail
Don’t use default setups for anything handling significant funds
Add real redundancy—not just multiple copies of the same system
Listen when vulnerabilities get reported and fix them fast
Add time delays to critical governance actions

And For the Industry

Admit that bridges are a critical weak point
Stop treating infrastructure as separate from security
Fund and support research on these vulnerabilities
Create actual standards for what “safe” means
Prepare for attacks from sophisticated state actors, not just lone hackers

The Bigger Picture

The KelpDAO hack is part of a larger pattern. In 2026 alone, attackers have hit Drift Protocol, KelpDAO, and multiple other systems. They’re getting better, more patient, and targeting infrastructure instead of code.

CoinDesk breaks it down this way: “The pattern points to state-backed operational warfare rather than isolated smart-contract bugs as the sector’s dominant security threat.”

This isn’t just a technical problem. It’s a geopolitical one. North Korea is funding weapons programs with crypto theft. The industry needs to treat it that way.

The next hack is probably already being planned. The question isn’t whether bridges will be targeted again. The question is whether the industry will fix the problems we already know about before it happens.

$292 million is expensive. But the real cost is the loss of trust that comes after.

Editor’s Note: This article sources information from official statements by LayerZero and KelpDAO, reporting from CoinDesk, analysis from Chainalysis and TRM Labs, and data from DefiLlama. All figures and timelines are based on verified reports from multiple sources in the blockchain security community as of April 24, 2026.