The decentralized finance (DeFi) sector was rocked over the weekend by a massive cyberattack. Kelp DAO, a cross-chain bridge protocol, suffered the theft of 116,500 rsETH, resulting in a total loss of $292 million. This incident stands as the largest DeFi breach of the year so far. Kelp DAO plays a key role in facilitating asset transfers between different blockchains—especially for Ethereum-based projects—and is built on the prominent LayerZero infrastructure.
How the attack unfolded
The breach reportedly occurred on April 18. According to a technical explanation by LayerZero, attackers gained control of the list of RPC nodes used within LayerZero Labs’ decentralized verification network (DVN). By corrupting two of these nodes, they launched a denial-of-service attack and managed to submit a fraudulent cross-chain message, which the system mistakenly recognized as legitimate. As a result, the network approved an unauthorized transaction, causing the loss of 116,500 rsETH tokens. This vulnerability was directly linked to Kelp DAO’s use of a single-verifier structure in the DVN, rather than a multi-verifier system.
“LayerZero and other external parties previously provided best practice guidance on DVN diversification to the Kelp DAO team. Despite all these warnings, Kelp DAO continued to operate with a 1/1 DVN configuration.”
Debate over critical configuration
In its report, LayerZero emphasized that Kelp DAO’s reliance on a single-verifier DVN setup created a significant vulnerability in the system. This method, which bypassed independent oversight, left a single point of failure open to exploitation. In response, Kelp DAO stated that the configuration was listed as a default option in LayerZero’s own documentation and was approved through direct communication with the protocol’s team.
Kelp DAO also noted that it has been operating on the LayerZero infrastructure since January, maintaining ongoing communication between teams. In an official statement, the company clarified that they initiated a comprehensive review, blacklisted the attackers’ wallets, and suspended relevant smart contracts. This quick intervention was crucial in containing the situation. The team said all steps toward resuming the protocol would be carefully evaluated.
Risks extend to Aave protocol
The repercussions of the Kelp DAO breach have rippled across the crypto ecosystem. The attacker deposited a significant portion of the stolen rsETH into the Aave V3 protocol as collateral and borrowed 82,650 WETH and 821 wstETH against it. This raises the risk of bad debt accumulating within Aave.
A recent Aave report shows the attacker used 89,567 rsETH (worth around $221 million) as collateral in high-volume loans. Due to Kelp DAO’s lack of clear guidance on how losses will be shared among users or how restitution would occur, Aave’s governance outlined two possible scenarios.
In the first scenario, if the loss is distributed proportionally across all networks, the rsETH supply could lose 15.12% of its value, resulting in approximately $123.7 million in bad debt on Aave. The Ethereum mainnet would see the largest hit at $91.8 million, although deeper reserves there limit the proportional loss. On platforms with lower reserves such as Mantle, the proportional loss could climb to 9.54%.
In the second scenario, if only the L2 network rsETH is affected and Ethereum mainnet assets remain fully collateralized, L2 assets would be subject to a steep 73.54% cut—a situation that would create $230.1 million in bad debt. Here, Aave’s $54 million “WETH Umbrella” insurance fund could only be deployed under the first scenario.
The outcome largely depends on Kelp DAO’s accounting processes and LRTOracle ratio updates, according to Aave’s management. Aave also noted that it holds $181 million in assets and has secured additional support commitments from its community to address any potential shortfalls.
