Kelp DAO announced on May 5, 2026, according to The Block, that it will migrate its rsETH token's cross-chain infrastructure away from LayerZero and onto Chainlink's Cross-Chain Interoperability Protocol (CCIP). The decision follows an April 18 exploit in which attackers drained approximately 116,500 rsETH tokens worth roughly $292 million in approximately 46 minutes. LayerZero and cryptocurrency outlet Unchained Crypto have attributed the attack to North Korea's Lazarus Group, specifically a subunit known as TraderTraitor. The attack is the largest single DeFi hack recorded so far in 2026.

How the Exploit Worked

The breach targeted a configuration weakness rather than a flaw in Kelp's smart contracts. Kelp had deployed rsETH using LayerZero's Omnichain Fungible Token (OFT) standard with a 1-of-1 DVN setup. A DVN, or Decentralized Verifier Network, is the set of validators that must confirm a cross-chain message before any tokens are minted or transferred. A 1-of-1 configuration means a single entity handles that verification. In Kelp's case, that entity was LayerZero Labs itself. Attackers from Lazarus Group compromised two RPC nodes that fed data to LayerZero's verifier, then knocked the remaining nodes offline via a distributed denial-of-service attack. With only poisoned data sources remaining, the verifier approved fraudulent minting instructions. The stolen tokens were then used as collateral on Aave to borrow approximately 126,000 WETH, worth around $236 million, before contracts were paused. Reports also indicate that two additional forged transactions totaling more than $100 million were signed before the pause; it remains unconfirmed whether that sum is included within the $292 million total or represents separate attempted theft that was ultimately stopped. Following the exploit, rsETH became stranded across more than 20 chains, leaving token holders unable to move or redeem their assets.

Market Fallout

The fallout extended well beyond Kelp, which had held more than $2 billion in total value locked before the attack. Aave was left with between $177 million and $246 million in bad debt from rsETH collateral positions that could no longer be unwound at full value. Lending protocols SparkLend and Fluid also froze their rsETH markets immediately following the breach. Aave's total value locked dropped from $26.4 billion to $20.7 billion within 48 hours. Across DeFi broadly, $13.21 billion in total value locked was erased in two days. LayerZero's native token ZRO fell roughly 18 to 22 percent, sliding from approximately $2.00 to around $1.40 to $1.52. AAVE fell about 10 percent over the same window. Separately, Ethena, ether.fi, Tron DAO, and Curve Finance each froze their own LayerZero bridges as a precaution. All price figures are subject to final verification against CoinGecko and CoinMarketCap at time of publication.

The Blame Dispute

A public dispute over responsibility has sharpened since the exploit. Kelp DAO stated that LayerZero personnel reviewed its bridge configuration across more than eight integration discussions over 2.5 years without flagging the 1-of-1 setup as a material security risk. Screenshots circulated by Kelp reportedly show a LayerZero team member indicating there was no problem using default settings and tagging a colleague who had previously suggested that Kelp might want to use a custom DVN setup. LayerZero pushed back, saying Kelp had originally deployed with multiple verifiers and then manually downgraded to a single-verifier setup. The company stated in its postmortem that Kelp's 1-of-1 configuration was outside the scope of its bug bounty program. That last point carries weight because security researcher Sujith Somraaj had submitted a bug bounty report before the exploit that described the precise attack vector. LayerZero rejected it.

A Systemic Risk Across DeFi

Dune Analytics data surfaced after the exploit showed that Kelp was not an isolated case. Approximately 47 percent of active LayerZero OApp contracts, as of late April, use a 1-of-1 DVN configuration. Only 45 percent use a 2-of-2 setup, and around 5 percent use three or more verifiers. The total value exposed across those single-verifier contracts exceeds $4.5 billion. LayerZero has since announced it will stop relaying messages for any application still running a 1-of-1 configuration, which will require dozens of protocols to reconfigure or migrate urgently.

The incident carries specific weight for developer communities in South Asia and Africa. Kelp DAO was co-founded by Amitej G and Dheeraj B, both India-based entrepreneurs who previously built Stader Labs, a multichain liquid staking platform. The exploit is a visible setback for a DeFi infrastructure project rooted in the South Asian builder ecosystem. In Africa, where Nigeria, Kenya, Ghana, and South Africa have seen growing DeFi adoption partly driven by users seeking dollar-denominated yield against local currency depreciation, cross-chain bridges are common daily-use infrastructure. The 47 percent statistic means the configuration risk that allowed the Kelp attack is present in a wide range of bridge products active in those markets. Halborn Security noted in its post-incident analysis that the exploit "demonstrates the risks of centralization of critical roles in Web3" and that "decentralization protects against compromised accounts and systems."

What Comes Next

Kelp's replacement, Chainlink CCIP, uses a dual decentralized oracle network structure with separate committing and executing layers, plus a dedicated Risk Management Network that monitors cross-chain operations independently and can trigger emergency halts. Whether CCIP eliminates bridge risk entirely is a separate question. Bridge attacks have cost the crypto industry more than $1.4 billion since 2022, including the $625 million Ronin exploit, a $130 million Multichain breach, and the Kelp incident itself. A coalition called DeFi United, including Consensys, Lido, and EtherFi, has pledged more than $300 million toward recovery for affected users, though the repayment structure, including whether these commitments take the form of grants, loans, or insurance payouts, has not been publicly clarified. April 2026 closed with $651 million in total hack losses across the industry, with the Kelp incident accounting for nearly half of that figure.