LayerZero has released new details about the recent large-scale cyberattack targeting Kelp DAO, clarifying how the incident unfolded. Technical analysis suggests that the North Korea-linked Lazarus Group, specifically its TraderTraitor arm, may have orchestrated the breach. The attack targeted the cross-chain bridge running on Kelp DAO’s LayerZero infrastructure, resulting in the loss of 116,500 rsETH tokens—assets valued at approximately $292 million. This event has quickly become the largest decentralized finance (DeFi) hack reported in 2024.
Single-point vulnerability exposes Kelp DAO
According to technical findings, the attackers managed to obtain the list of RPC nodes used in LayerZero Labs’ decentralized validation network. They then compromised two nodes, using them to send counterfeit messages into the cross-chain validation system. At the same time, the attackers launched a targeted DDoS attack on remaining active nodes, forcing the network to rely solely on the compromised nodes for message validation.
Because Kelp DAO operated with a single validation node (a 1/1 DVN setup), the breach enabled hackers to infiltrate the system directly. In its post-incident statement, LayerZero underscored that Kelp DAO had been made aware of the risks but chose not to upgrade its infrastructure.
“Because there was no independent second validator, the fake message was easily accepted. Both LayerZero’s own team and external experts had previously urged designs with multiple DVNs, but Kelp DAO persisted with its single-node model,” their statement emphasized.
LayerZero has stressed that there is no risk of the attack spreading to other assets or applications. The company assured that apps operating with multiple validators remain unaffected and announced it will no longer support systems that rely on just one validator. Investigations into the hack are ongoing, with several law enforcement agencies now involved and efforts underway to track the stolen funds.
Major fallout on Aave platform
The Kelp DAO exploit sent shockwaves through the Aave ecosystem. The attacker deposited stolen rsETH tokens into Aave V3 and borrowed significant sums in WETH (Wrapped Ether), which led to the creation of bad debt in certain Aave markets. In response, Aave froze rsETH markets on both V3 and V4 versions, in an attempt to contain potential losses.
Stani Kulechov, founder of Aave, explained, “rsETH is now frozen on both V3 and V4; borrowing is disabled, and the event originated outside of Aave via the Kelp DAO bridge. As of now, Aave has no further exposure to rsETH.”
Despite these measures, significant outflows were recorded from Aave. According to Aavescan, total value locked (TVL) on Aave plunged from $45.8 billion to $35.7 billion in the aftermath—a reduction of over $10 billion. Reacting to the threat, Aave community leader Marc Zeller urged users to expedite WETH withdrawals.
Aave’s management has also stated its commitment to seeking remedies if bad debt continues to accumulate across the protocol.
Mounting structural fragility in DeFi
In the wake of the Kelp DAO breach, several DeFi projects leveraging LayerZero’s protocols have suspended interactions with affected bridges as a precaution. The freeze extends to major platforms such as Ethena, ether.fi, Tron DAO, and Curve Finance. Reflecting the growing risk in the sector, DeFiLlama reported that the industry’s total value locked shrank by 7% within 24 hours, dropping from $99.5 billion to $86.3 billion as of April 18.
Min Jung of Presto Research remarked that the recent hack highlights deep-seated vulnerabilities in the DeFi infrastructure and the dangers of over-centralized security layers:
“The Kelp DAO event spotlights ongoing issues in cross-chain structures. After recent incidents like the Drift exploit, such attacks force users to reconsider whether the promised returns are worth the inherent risk.”
Industry experts now believe that the surge in large-scale hacks may accelerate significant innovation in DeFi risk management and architecture. Numerous projects across the space have begun exploring more robust and secure alternatives for their systems.
