The attack removed roughly 18% of rsETH's total circulating supply, valued at approximately $292 million at the time. Within 48 hours, total DeFi TVL (total value locked, the aggregate amount of assets deposited across protocols) fell from around $99.5 billion to $86.3 billion. Aave, a leading lending platform in the sector, saw its own TVL drop from roughly $26.4 billion to $17.9 billion as confidence in rsETH as collateral evaporated.

How the Attack Worked

The attack exploited a single weak point in LayerZero's cross-chain messaging infrastructure. LayerZero routes messages between blockchains using entities called Decentralized Verifier Networks, or DVNs. These are off-chain systems that confirm whether a cross-chain transaction is legitimate before it is executed. Kelp DAO's configuration required only one DVN signature to authorize any transaction, a setup known as 1-of-1. When that single DVN was compromised, the attacker was able to forge a message claiming to originate from Kelp's Unichain deployment, despite no corresponding transaction existing on that chain. The fraudulent message released 116,500 rsETH from Kelp's Ethereum adapter contract.

Security firm Blockaid traced the attacker's wallets to Tornado Cash, a cryptocurrency mixer used to obscure fund origins. LayerZero has preliminarily attributed the attack to Lazarus Group, the North Korean state-linked hacking collective, though this has not been independently confirmed by law enforcement. The attacker deposited 89,567 of the stolen rsETH tokens into Aave V3 as collateral and borrowed approximately $190 million in ETH and wrapped ETH before routing funds through consolidation addresses and exchange deposit wallets. Kelp's emergency multisig paused the protocol 46 minutes after detection, blocking an estimated $200 million in follow-up theft.

A Public Dispute Over Defaults

The incident has triggered an unusually public argument between two major infrastructure providers. Kelp DAO contends that the compromised DVN was part of LayerZero's own infrastructure, not a third-party verifier, and that the 1-of-1 configuration matched LayerZero's documented quickstart guide and default GitHub code samples. LayerZero responded by saying its protocol was not broken and that Kelp had deployed a single-point-of-failure setup despite holding over one billion dollars in TVL. LayerZero claimed it had previously communicated best practices around DVN diversification to partners.

Independent voices have sided more with Kelp. Banteg, a core developer at Yearn Finance, noted that LayerZero's reference deployment "ships with single-source verification defaults." Zach Rynes of Chainlink accused LayerZero of "deflecting responsibility" and "throwing Kelp under the bus." Blockaid's post-incident analysis put the broader problem plainly: "Smart contract audits remain necessary. They are not sufficient."

LayerZero announced it will stop signing messages for any protocol still using a 1-of-1 DVN setup, forcing a protocol-wide migration. An estimated 40% of protocols currently deployed on LayerZero use this configuration, meaning the fallout extends well beyond Kelp.

Aave's Unresolved Exposure

Aave has frozen rsETH markets while its DAO assesses potential losses. Analysts have modeled two scenarios. If the shortfall is spread across all rsETH holders through a roughly 15% depeg, bad debt sits around $123 million. If losses are concentrated on specific networks such as Arbitrum or Mantle, the figure could reach $230 million. Aave's DAO treasury holds approximately $181 million, meaning the lower scenario would substantially draw on reserves while the higher scenario could exceed them entirely. The AAVE governance token fell roughly 2.5% in the 24 hours following the exploit.

Regional Fallout: India and Africa

Kelp DAO carries particular weight in South Asia. Co-founders Amitej Gajjala and Dheeraj Borra are Indian entrepreneurs who previously built Stader Labs, a multichain liquid staking platform with over $500 million in TVL. Launched in November 2023, Kelp DAO scaled to more than $1 billion in TVL in roughly 29 months. Gajjala held senior roles at Swiggy and Zapr Media Labs before entering DeFi. The protocol's collapse is a significant reputational moment for Indian-founded DeFi infrastructure, which had earned broader credibility through Stader's track record.

The 1-of-1 DVN default is also a direct concern for South Asian developers, who represent a significant and growing share of Web3 builders globally and frequently rely on framework defaults when deploying protocols.

In Africa, Aave serves as a primary borrowing tool for users in Nigeria, Kenya, and South Africa who access dollar-denominated liquidity against crypto collateral. Kenya's BitKE ran the Aave TVL collapse as a lead story. The forced freeze of rsETH markets and uncertainty around bad debt resolution add a layer of platform risk for African retail users who have entered DeFi amid persistent local currency volatility, including the sharp depreciation of the Nigerian naira that has made dollar-denominated DeFi yields increasingly attractive across the region.

What Comes Next

This is the second major exploit attributed to Lazarus Group in 17 days. On April 1, the group drained $285 million from Solana-based Drift Protocol through social engineering of governance signers. Combined, the preliminary Lazarus tally for April 2026 exceeds $575 million across two structurally different attack vectors. SparkLend, Fluid, and Upshift Finance have frozen operations as a precaution, and Lido paused deposits preemptively. Whether Aave's DAO pursues a mutualized loss distribution, draws on treasury reserves, or pursues another resolution remains the most consequential open question for DeFi's largest lending market.