Skip to content
Breached cyberpunk vault door with a single compromised lock: the 1-of-1 LayerZero DVN that let $292M leave Kelp DAO
exploitsApril 20, 20264 min read

Kelp DAO's $292M Hack and Aave's $6B Fallout: One Config Parameter Broke DeFi

Aron Turner
Aron TurnerCo-Founder & CTO

Updated on April 20, 2026

TL;DR

On April 18, 2026, an attacker drained 116,500 rsETH (about $292M, roughly 18% of circulating supply) from Kelp DAO's LayerZero-powered bridge, supplied the unbacked tokens as collateral on Aave V3, and borrowed roughly $266M in ETH.

Aave's TVL fell about $6.6B in 24 hours, WETH utilization pinned at 100%, and the protocol is holding around $196M in unbacked WETH liabilities.

There was no Solidity bug. Kelp's bridge trusted a single LayerZero DVN, and that DVN was compromised. LayerZero has attributed the attack to DPRK's Lazarus Group (TraderTraitor).

How the Kelp DAO $292M Exploit Worked

Attack flow at a glance

  1. Source. Attacker prepares a forged cross-chain packet on Unichain (LayerZero eid 30320). No rsETH is actually burned.
  2. Verifier. Kelp's sole DVN (0x589dedbd…236b, a LayerZero Labs DVN) signs the forged packet after attackers swap the binary on two of its RPC nodes and DDoS the rest.
  3. Release. lzReceive fires on Ethereum at block 24,908,285 (17:35:35 UTC, 2026-04-18). Kelp's OFT adapter releases 116,500 rsETH ($292M) to the attacker.
  4. Loot. Attacker supplies the unbacked rsETH to Aave V3 on Ethereum + Arbitrum as collateral, borrows $266M ETH at the 93% E-Mode LTV cap via recursive looping.
  5. Pause (+46 min). Kelp's multisig fires pauseAll, blocking two follow-up attempts that would have released another ~$200M.
  6. Cold. Attacker consolidates $266M ETH across two hub wallets. Funds haven't moved since.

The DVN compromise

Kelp's rsETH OFT (Omnichain Fungible Token) adapter (0x85d456B2DfF1fd8245387C0BfB64Dfb700e98Ef3) was configured to accept messages from a 1-of-1 Decentralized Verifier Network. One verifier, one signature, full release authority.

Per LayerZero's April 20 incident statement, attackers swapped the binary on two of that DVN's RPC nodes with malicious builds, then DDoS'd the remaining healthy nodes. The verifier (0x589dedbd617e0cbcb916a9223f4d1300c294236b, a LayerZero Labs DVN) consumed the poisoned feed and signed a forged cross-chain packet.

The forged packet and the config that let it in

The forged packet originated from Unichain (LayerZero endpoint ID / eid 30320). Kelp's setConfig call installing that 1-of-1 DVN for the Unichain route was tx 0x2d48d933…0592, block 22,179,964, on 2025-04-02 at 08:14:47 UTC. It sat on-chain publicly for 381 days before the hack.

The signer was 0xcf7bf9d3…5662, calling setConfig(address,address,(uint32,uint32,bytes)[]) directly on EndpointV2.

The release

At 17:35:35 UTC on 2026-04-18, block 24,908,285, tx 0x1ae232da…4222 fired lzReceive on Ethereum. Kelp's OFT adapter released 116,500 rsETH to the attacker. Nothing had been burned on any source chain.

The Aave loop and the pause

Within 30 minutes, eight cash-out wallets supplied the stolen rsETH to Aave V3 on Ethereum and Arbitrum and borrowed ETH against it at the 93% E-Mode LTV cap, amplified via recursive looping (collateral deposit: 0xc295f4cd…0fc6).

Kelp's emergency multisig hit pauseAll at 18:21 UTC (0x4f52256a…1698), blocking two follow-up attempts at 18:26 and 18:28 that would have released another ~$200M. The attacker consolidated $266M of real ETH across two hub wallets and has not moved the funds since.

The industry-standard DVN configuration is 2-of-3. LayerZero's own integrator checklist recommends redundancy. For the full wallet graph, see Blockaid's technical writeup and defiprime's breakdown. Innora.ai's forensic reconstruction has additional transaction-trail detail.

How did the Kelp exploit cause Aave's $6B TVL drop?

Aave's contracts executed correctly. rsETH was a whitelisted collateral asset under E-Mode (Aave's Efficiency Mode, which allows higher LTV on tightly correlated collateral like ETH and ETH derivatives), the Chainlink oracle returned a price, and the protocol did what it was told. The tokens just weren't real.

(For a contrasting Aave incident where the contract behavior was the root cause, see our $27M stale-oracle liquidation breakdown.)

The market reaction

  • TVL fell $6B to $6.6B in 24 hours (Crypto Briefing headline: $22B to $15.4B; DefiLlama: ~$26.4B to ~$20B)
  • WETH pool hit 100% utilization; suppliers couldn't withdraw
  • ~$5.4B in ETH/WETH withdrawal pressure across the weekend
  • AAVE token fell 16-20%
  • ~$196M unbacked WETH liabilities on Aave's Ethereum deployment; $177M-$236M across Aave, Compound V3, and Euler

The bad-debt waterfall

Aave's Umbrella safety module holds roughly $80M-$100M, not enough to cover the Ethereum deficit on its own. The waterfall under discussion on the governance forum runs in four steps:

  1. aWETH Umbrella stakers take the automatic slash first
  2. Remaining WETH suppliers absorb the socialized residual if the gap persists
  3. stkAAVE slashing is on the table if governance votes it
  4. A DAO-treasury repayment is the currently favored path

Three governance decisions expanded Aave's exposure

Contagion

Contagion was modest. SparkLend, Fluid, Upshift, and Lido earnETH froze rsETH exposure. Morpho's isolated-market design held it to ~$1M. Ethena paused its own LayerZero OFT bridges for about six hours as a precaution, publicly noting no rsETH exposure. Total DeFi TVL fell more than $10B, most of that unrelated to rsETH and driven by broader risk-off flows.

Forum sentiment

Forum user jack wrote: "Complete lack of risk management for this asset. The deposit cap should have been significantly smaller." ApuMallku put it more broadly: "Relying on manual intervention is no longer a viable security strategy for a protocol of this scale."

What does the Kelp exploit reveal about DeFi's attack surface?

Three of the four biggest DeFi losses of the past fourteen months (Bybit $1.5B, Drift $270-286M, Kelp $292M) had no Solidity bug. The fourth, the $223M Cetus overflow, did. Attackers have moved off Solidity. They're hitting signing infrastructure, multisig social engineering, and bridge configuration parameters instead.

The Unichain setConfig wasn't even an outlier. We pulled every UlnConfigSet event emitted by the default ReceiveUln302 library against Kelp's OFT adapter. That's 20 events, covering 18 distinct source-chain routes:

  • 17 routes install a 1-of-1 DVN using the same compromised verifier 0x589dedbd…
  • 1 route uses 2-of-2
  • 0 routes use the industry-standard 2-of-3

The current effective config for every Kelp source chain is readable on-chain via ReceiveUln302.getAppUlnConfig. It was readable the day before the hack, and the year before that.

Every downstream integrator could have read those configs before accepting rsETH as collateral. None did. DVN thresholds are outside the scope of most smart-contract audits, so they sit in a blind spot.

Lessons for DeFi Security

1. DVN thresholds belong in your collateral risk model

If your protocol accepts a cross-chain token as collateral, the token's bridge security model is your security model. A 1-of-1 DVN on the issuing OFT means a single compromised verifier can print unlimited collateral against your book.

Before whitelisting an OFT asset, read its current ULN config on-chain and reject anything below 2-of-3 with diverse DVN providers.

2. Config-time disclosure isn't audit coverage

Kelp's setConfig tx was public for 381 days. No integrator caught it because DVN thresholds aren't part of a typical audit.

Treat the bridge's ULN config the same way you'd treat an oracle feed source or a multisig signer set: versioned, diff-tracked, and monitored for changes.

3. 2-of-3 with diverse DVN providers is the baseline

LayerZero's own integrator checklist calls for redundancy, and the industry standard is 2-of-3. Kelp shipped 17 source-chain routes at 1-of-1.

Any OFT or bridge operator using a single DVN for any route should treat that as a sev-1 config bug, not a deployment convenience.

4. Risk parameters on cross-chain collateral have to price bridge integrity

Between Jan 19 (rsETH LTV to 93%), Apr 6 (Chaos Labs exits), and Apr 9 (LlamaRisk raises the rsETH supply cap), Aave's exposure to this exact attack grew in three discrete steps. Each step was reasonable in isolation on market data alone.

LTV, supply cap, and E-Mode parameters for a cross-chain asset are also bets on the bridge's DVN configuration, and have to be priced that way.

5. Cross-chain collateral whitelisting is a config-review task, not a market-risk task

The decision to accept rsETH wasn't wrong because of price volatility or correlation. It was wrong because the issuing bridge ran 17 source-chain routes at 1-of-1. A market-risk dashboard can't see that; a read of the OFT's on-chain ULN config can.

Lending protocols onboarding OFT or native cross-chain tokens should add a mandatory config-review gate to the listing checklist, and re-run it when the issuer ships new routes.

What's the current status of Kelp and Aave?

As of 2026-04-20:

  • Kelp's rsETH OFT is paused on Ethereum; the pauseAll tx landed 46 minutes after the drain and blocked two follow-up attempts
  • LayerZero has attributed the attack to DPRK's Lazarus Group (TraderTraitor) in its April 20 statement
  • Aave's Guardian has frozen the rsETH market on V3 Core and the V4 Kelp-E spoke
  • ~$196M in unbacked WETH liabilities sit on Aave's Ethereum deployment; Umbrella ($80-100M) can't cover it alone
  • Aave governance is debating a bad-debt waterfall: aWETH Umbrella slash first, WETH supplier socialization next, stkAAVE slashing contingent on vote, DAO-treasury repayment currently the favored path
  • ~$266M in consolidated ETH sits across two attacker hub wallets and has not moved since
  • No post-mortem from Kelp yet; LlamaRisk has stated Aave's other pools remain fully operational

Don't Wait for the Post-Mortem

Deployment-time config and live operational state are part of the attack surface. For protocols shipping cross-chain bridges or accepting cross-chain collateral, that's where most of the unreviewed risk now sits.

Tripwire monitors that surface post-deployment: DVN threshold changes on OFT bridges, multisig signer rotations, oracle path modifications, admin-role transfers, and privileged configuration calls across your deployed contracts and their dependencies. Alerts in seconds via Slack, Telegram, or email. Automated circuit breakers that don't wait for a war room.

If you're running a lending protocol that accepts cross-chain collateral, or operating a bridge that issues OFTs, talk to us.

Forensic Appendix: Addresses and Transactions

All addresses and hashes below resolve on-chain. Sources reconciled from Blockaid, defiprime, Aave governance, and LayerZero's official statement.

Contracts

EntityAddress
Kelp rsETH OFT Adapter (Ethereum)0x85d456B2DfF1fd8245387C0BfB64Dfb700e98Ef3
LayerZero V2 EndpointV20x1a44076050125825900e736c501f859c50fE728c
Compromised DVN (LayerZero Labs)0x589dedbd617e0cbcb916a9223f4d1300c294236b
ReceiveUln302 library0xc02Ab410f0734EFa3F14628780e6e695156024C2

Key transactions

WhenTxAction
2025-04-02 08:14:47 UTC, block 22,179,9640x2d48d933…0592setConfig installing 1-of-1 DVN for Unichain route (the attack vector). Signer 0xcf7bf9d3…5662. 381 days before the hack.
2026-04-18 17:35:35 UTC, block 24,908,2850x1ae232da…4222Forged lzReceive from Unichain (eid 30320); 116,500 rsETH released
2026-04-18 17:43:11 UTC, block 24,908,322 (+8 min)0xc295f4cd…0fc6Aave V3 collateral deposit. Signer 0x1F4C…adeF.
2026-04-18 18:21:59 UTC, block 24,908,516 (+46 min)0x4f52256a…1698Kelp pauseAll
2026-04-18 19:03:59 UTC, block 24,908,723 (+88 min)0xd40b8b3b…7176Aave Guardian freeze, rsETH market
2026-04-18 19:35:11 UTC, block 24,908,879 (+120 min)0x4b6313f7…4f31Aave V4 Core Hub Guardian freeze
2026-04-18 19:45:23 UTC, block 24,908,930 (+130 min)0x567d80b3…b370Aave V4 Kelp-E Spoke Guardian freeze

DVN configuration pattern across every Kelp source-chain route

As of 2026-04-20:

Source chains configuredRequired DVN countRequired DVN
17 eids (Unichain 30320, Avalanche 30106, Mantle 30181, Berachain 30362, Sonic 30332, and 13 others)10x589dedbd…236b (compromised)
1 eid (30325)20x589dedbd…236b + 0xa59ba433…0ba5

The 20 UlnConfigSet events against Kelp's OFT adapter span block 19,830,526 (2024-05-09) through block 24,784,877 (2026-04-01). The most recent 1-of-1 config was installed 17 days before the hack. The current effective config for each source eid is readable by calling ReceiveUln302.getAppUlnConfig(0x85d456…98Ef3, <eid>) on 0xc02Ab410…024C2.

Attacker wallet conflict between Blockaid and defiprime

Both writeups are correct; they observed different phases of the attack.

  • 0x8B1b6c9A6DB1304000412dd21Ae6A70a82d60D3b (defiprime) is the drain recipient, per the rsETH Transfer log in 0x1ae232da…4222.
  • 0x1F4C1c2e610f089D6914c4448E6F21Cb0db3adeF (Blockaid) signed the Aave V3 collateral supply and the subsequent borrow.

Sibling wallets in a coordinated operation.

Frequently Asked Questions

How was Kelp DAO hacked?

A 1-of-1 LayerZero DVN was compromised. Attackers swapped the binary on two of the DVN's RPC nodes and DDoS'd the rest, getting it to sign a forged cross-chain packet. lzReceive on Ethereum released 116,500 rsETH with no corresponding burn anywhere. Configuration failure, not a smart contract bug.

How much was stolen from Kelp DAO?

116,500 rsETH, worth about $292M at the time (roughly 18% of circulating supply). The attacker then looped the unbacked rsETH on Aave V3 and borrowed about $266M in real ETH before Kelp's emergency pause blocked further attempts.

Who hacked Kelp DAO?

LayerZero's April 20 statement attributes the attack to DPRK's Lazarus Group (TraderTraitor), the same unit the FBI tied to the $1.5B Bybit hack in February 2025.

Is Aave going to socialize the loss?

Aave holds roughly $196M in unbacked WETH liabilities on Ethereum; Umbrella only covers ~$80-100M. The governance thread is debating a waterfall: aWETH Umbrella slash → WETH supplier socialization → stkAAVE slashing (if voted) → DAO-treasury repayment (currently favored).

What is a DVN, an OFT, and an OApp?

Three terms do most of the work on LayerZero:

  • OApp (Omnichain Application): any contract that sends or receives cross-chain messages.
  • OFT (Omnichain Fungible Token): a standardized OApp for cross-chain tokens that burn on source and mint on destination (or lock/release, in the "adapter" variant Kelp uses).
  • DVN (Decentralized Verifier Network): an independent verifier that attests a message actually originated on the source chain. OApps configure a set of DVNs plus a threshold (e.g. "2 of 3 must sign").

A 1-of-1 config means a single DVN compromise is sufficient to forge a message. The industry standard is 2-of-3 with diverse providers. Kelp ran 1-of-1 on 17 of 18 source-chain routes.

Could this have been prevented?

Yes, in two places:

  1. At Kelp's deployment. A pre-launch config review would have caught every 1-of-1 DVN route before production traffic hit the bridge.
  2. At downstream integrators. The setConfig tx that installed the Unichain route was public for 381 days. Any lending protocol reading the OFT's ULN config before whitelisting rsETH would have seen the 1-of-1 threshold and either declined or capped exposure.

The data was on-chain both times. Nobody had a process to read it before signing a listing proposal or trusting an OFT bridge.

Sources

Primary sources

Technical and forensic analysis

News coverage

Context

Disclosure: SigIntZero has no commercial relationship with Kelp DAO, LayerZero, Aave, or any restaking protocol mentioned in this article.

#Kelp DAO#LayerZero#rsETH#DVN#Aave#OFT bridge#cross-chain exploit#DeFi security#Lazarus Group#bridge exploit
Aron Turner
Aron Turner

Co-Founder & CTO

CTO of SigIntZero. Engineering leadership, infrastructure architecture, and security tooling.

@alteredladGitHubLinkedIn

Related Posts