---

LayerZero, the cross-chain messaging protocol connecting more than 160 blockchains, announced a commitment of 10,000 ETH to DeFi United on April 28, joining an industry-wide effort to cover losses from a $292 million bridge exploit that struck liquid restaking protocol KelpDAO ten days earlier. The pledge adds to a growing coalition pool approaching its stated target of 100,000 ETH, part of a broader estimated requirement of roughly 120,000 ETH to fully restore the backing for rsETH, KelpDAO's receipt token for restaked Ethereum.

---

The attack occurred on April 18, 2026, when an actor attributed by Chainalysis to North Korea's Lazarus Group, specifically its TraderTraitor sub-group, drained 116,500 rsETH from KelpDAO's bridge connecting Unichain to Ethereum. The method was not a smart contract vulnerability. Instead, attackers poisoned the RPC infrastructure running LayerZero's own verifier node, compromised two independent machines, and swapped the op-geth binaries. With that single verifier node under attacker control, the bridge was tricked into releasing rsETH without any legitimate backing. The stolen tokens were then deposited into Aave as collateral to borrow real assets.

---

A Dispute Over Default Settings

LayerZero's security model allows applications to configure which verifiers must approve a cross-chain message before it executes. A setup requiring only one verifier, known as a 1-of-1 DVN (Decentralized Verifier Network) configuration, creates a single point of failure. LayerZero's official incident statement said that "[Kelp's] OApp configuration at the time of this incident relied on a 1-of-1 DVN setup, with LayerZero Labs as the sole verifier," calling this "a configuration that directly contradicts the multi-DVN redundancy model that LayerZero has consistently recommended to all integration partners."

KelpDAO pushed back directly, pointing out that the 1-of-1 configuration is LayerZero's own documented default, present in its quickstart guide and reference GitHub repositories, and that the compromised node belonged to LayerZero's own infrastructure rather than a third party. KelpDAO also stated that no specific recommendation to change its rsETH configuration arrived through the direct communications channel the two teams had maintained since July 2024.

"The compromised verifier was LayerZero's own infrastructure, not a third-party verifier," KelpDAO said in its rebuttal. Chainlink's Zach Rynes separately accused LayerZero of deflecting responsibility for its own compromised systems.

LayerZero's post-exploit response included deprecating the compromised nodes and announcing it would stop signing messages for any application still using a single-verifier setup, effectively forcing a migration across its entire developer ecosystem.

Dune Analytics data covering LayerZero OApps over a 90-day window shows that 47 percent of active contracts, roughly 2,665 in total, used the 1-of-1 configuration at the time of the exploit, representing an estimated $4.5 billion in exposure under similar conditions.

---

Coalition Assembles Quickly

DeFi United, a voluntary recovery coalition assembled roughly five days after the exploit, has drawn pledges from a wide range of protocols and individuals. Consensys and its CEO Joseph Lubin committed up to 30,000 ETH. Mantle offered 30,000 ETH through a three-year credit facility. The Aave DAO has a 25,000 ETH treasury proposal pending governance approval. Stani Kulechov, Aave's founder, pledged 5,000 ETH personally. EtherFi, Lido DAO, Kelp DAO, Compound DAO, and several foundations have made additional contributions. The Arbitrum Security Council separately froze 30,765 ETH linked to the exploiter addresses on April 21, and Aave, Kelp, and LayerZero jointly filed a proposal to Arbitrum's DAO to redirect those frozen funds into the recovery pool.

"The Ethereum ecosystem has always been at its best when it moves together," said Ethereum co-founder Joseph Lubin. "DeFi United is exactly that."

The financial fallout has been significant. Aave faces between $123 million and $230 million in bad debt depending on how the shortfall is allocated across its users. Total DeFi TVL dropped by approximately $13 billion in the 48 hours following the attack. Aave's own TVL fell 33 percent within 72 hours as whale addresses pulled more than $6 billion from the protocol. As of April 28, 2026, LayerZero's native ZRO token had dropped roughly 22 percent in the 24 hours after the exploit and lost a further 3 percent on April 28, compounded by a $40.4 million token unlock representing 5.34 percent of total supply.

---

Global Developer and User Exposure

The fallout carries practical weight for developers and users outside Western markets. rsETH was designed as a yield-optimised asset for ETH holders seeking returns through EigenLayer restaking, giving it broad cross-chain DeFi exposure and a retail user base spanning India, Pakistan, and other emerging markets.

Asia-Pacific accounts for an estimated 20 to 25 percent of global liquid staking and restaking TVL. In Africa, LayerZero underpins stablecoin bridge infrastructure used across Nigeria, Kenya, and Ghana, where users often access DeFi for dollar-denominated savings and remittances. A 33 percent drop in Aave TVL and a broader confidence crisis in cross-chain bridge security will likely dampen adoption in both regions in the near term. Developer teams using LayerZero's default configuration now face a mandatory migration with added cost and complexity, a particular challenge for smaller teams operating with limited security budgets.

The episode has prompted OpenZeppelin to publish a post-mortem under the title "$292 Million Lost, Zero Bugs Found," capturing a key lesson: bridge security cannot be assessed through smart contract audits alone. Off-chain verifier infrastructure carries its own attack surface, one that, as OpenZeppelin notes, the industry currently has no standard framework for auditing.

Coalition coordinators are targeting enough committed ETH to execute coordinated liquidations of the exploiter's remaining positions on Aave and Compound, with an estimated 13,000 ETH recoverable from Aave positions and a further 16,776 ETH from Compound positions, per Unchained Crypto, before external contributions cover the remainder.