Kelp DAO's $292M Hack and Aave's $6B Fallout: One Config Parameter Broke DeFi

TL;DR

On April 18, 2026, an attacker drained 116,500 rsETH (~$292M, about 18% of circulating supply) from Kelp DAO's LayerZero-powered bridge, supplied the unbacked tokens as collateral on Aave V3, and borrowed roughly $266M in ETH. Aave's TVL fell about $6.6B in 24 hours, WETH utilization pinned at 100%, and the protocol is holding ~$196M in unbacked WETH liabilities. There was no Solidity bug. Kelp's bridge trusted a single LayerZero DVN, and the DVN was compromised. LayerZero has attributed the attack to DPRK's Lazarus Group subunit TraderTraitor.

How the Kelp DAO $292M Exploit Worked

Attack flow at a glance:

1. Source. Attacker prepares a forged cross-chain packet on Unichain (LayerZero eid 30320). No rsETH is actually burned.
2. Verifier. Kelp's sole DVN — 0x589dedbd…236b, a LayerZero Labs DVN — signs the forged packet after attackers swap the binary on two of its RPC nodes and DDoS the rest.
3. Release. lzReceive fires on Ethereum at block 24,908,285 (17:35:35 UTC, 2026-04-18). Kelp's OFT adapter releases 116,500 rsETH ($292M) to the attacker.
4. Loot. Attacker supplies the unbacked rsETH to Aave V3 on Ethereum + Arbitrum as collateral, borrows $266M ETH at the 93% E-Mode LTV cap via recursive looping.
5. Pause (+46 min). Kelp's multisig fires pauseAll, blocking two follow-up attempts that would have released another ~$200M.
6. Cold. Attacker consolidates $266M ETH across two hub wallets. Funds haven't moved since.

Kelp's rsETH OFT (Omnichain Fungible Token) adapter (0x85d456B2DfF1fd8245387C0BfB64Dfb700e98Ef3) was configured to accept messages from a 1-of-1 Decentralized Verifier Network. One verifier, one signature, full release authority. Per LayerZero's April 20 incident statement, attackers swapped the binary on two of that DVN's RPC nodes with malicious builds, then DDoS'd the remaining healthy nodes. The verifier (0x589dedbd617e0cbcb916a9223f4d1300c294236b, a LayerZero Labs DVN) consumed the poisoned feed and signed a forged cross-chain packet.

The forged packet originated from Unichain (LayerZero endpoint ID / eid 30320). Kelp's setConfig call installing that 1-of-1 DVN for the Unichain route — tx 0x2d48d933…0592, block 22,179,964, 2025-04-02 08:14:47 UTC — sat on-chain publicly for 381 days before it was weaponized. The signer was 0xcf7bf9d3…5662, calling setConfig(address,address,(uint32,uint32,bytes)[]) directly on EndpointV2.

At 17:35:35 UTC on 2026-04-18, block 24,908,285, tx 0x1ae232da…4222 fired lzReceive on Ethereum. Kelp's OFT adapter released 116,500 rsETH to the attacker. Nothing had been burned on any source chain.

Within 30 minutes, eight cash-out wallets supplied the stolen rsETH to Aave V3 on Ethereum and Arbitrum and borrowed ETH against it at the 93% E-Mode LTV cap, amplified via recursive looping (collateral deposit: 0xc295f4cd…0fc6). Kelp's emergency multisig hit pauseAll at 18:21 UTC (0x4f52256a…1698), blocking two follow-up attempts at 18:26 and 18:28 that would have released another ~$200M. The attacker consolidated $266M of real ETH across two hub wallets and has not moved the funds since.

The industry-standard DVN configuration is 2-of-3. LayerZero's own integrator checklist recommends redundancy. Blockaid's technical writeup and defiprime's breakdown have the full wallet graph; Innora.ai's forensic reconstruction has additional transaction-trail detail.

Aave's $6B TVL Drop and Bad Debt Fallout

Aave's contracts executed correctly. rsETH was a whitelisted collateral asset under E-Mode (Aave's Efficiency Mode, which allows higher LTV on tightly correlated collateral like ETH and ETH derivatives), the Chainlink oracle returned a price, and the protocol did what it was told. The tokens just weren't real. (For a contrasting Aave incident where the contract behavior was the root cause, see our $27M stale-oracle liquidation breakdown.)

The market priced that in fast:

• TVL fell $6B to $6.6B in 24 hours (Crypto Briefing headline: $22B to $15.4B; DefiLlama: ~$26.4B to ~$20B)
• WETH pool hit 100% utilization; suppliers couldn't withdraw
• ~$5.4B in ETH/WETH withdrawal pressure across the weekend
• AAVE token fell 16-20%
• ~$196M unbacked WETH liabilities on Aave's Ethereum deployment; $177M-$236M across Aave, Compound V3, and Euler

Aave's Umbrella safety module holds roughly $80M-$100M. It can't cover the Ethereum deficit alone. The waterfall under discussion on the governance forum runs: aWETH Umbrella stakers take the automatic slash first, remaining WETH suppliers absorb the socialized residual if the gap persists, stkAAVE slashing is on the table if governance votes it, and a DAO-treasury repayment is the currently favored path.

Three governance decisions made the blast radius bigger:

• Jan 19, 2026: Aave Proposal 434 raised rsETH E-Mode LTV from 92.5% to 93%.
• Apr 6, 2026: Chaos Labs ended its three-year risk engagement with Aave.
• Apr 9, 2026: LlamaRisk, the replacement, proposed raising rsETH's supply cap from 480,000 to 530,000. Nine days before the hack.

Contagion was modest. SparkLend, Fluid, Upshift, and Lido earnETH froze rsETH exposure. Morpho's isolated-market design held it to ~$1M. Ethena precautionarily paused its own LayerZero OFT bridges for about six hours, publicly noting no rsETH exposure. Total DeFi TVL fell more than $10B, most of that unrelated to rsETH and driven by pure psychology.

The governance thread doesn't hide the frustration. Forum user jack wrote: "Complete lack of risk management for this asset. The deposit cap should have been significantly smaller." ApuMallku zoomed out: "Relying on manual intervention is no longer a viable security strategy for a protocol of this scale."

What the Kelp Exploit Reveals About the DeFi Attack Surface

Three of the four biggest DeFi losses of the past fourteen months (Bybit $1.5B, Drift $270-286M, Kelp $292M) had no Solidity bug. The fourth, the $223M Cetus overflow, did. But the attackers have moved on: signing infrastructure, multisig social engineering, and now a single verifier parameter misconfigured at deployment.

The Unichain setConfig wasn't even an outlier. We pulled every UlnConfigSet event emitted by the default ReceiveUln302 library against Kelp's OFT adapter — 20 events, covering 18 distinct source-chain routes. 17 of them install a 1-of-1 DVN using the same compromised verifier 0x589dedbd…. One uses 2-of-2. None use the industry-standard 2-of-3. The current effective config for every Kelp source chain is readable on-chain via ReceiveUln302.getAppUlnConfig — it was readable the day before the hack, and the year before that.

Every downstream integrator could have read those configs before accepting rsETH as collateral. Nobody did, because DVN thresholds aren't in the audit scope.

Lessons for DeFi Security

1. DVN thresholds belong in your collateral risk model. If your protocol accepts a cross-chain token as collateral, the token's bridge security model is your security model. A 1-of-1 DVN on the issuing OFT means a single compromised verifier can print unlimited collateral against your book. Before whitelisting an OFT asset, read its current ULN config on-chain and reject anything below 2-of-3 with diverse DVN providers.

2. Config-time disclosure ≠ audit coverage. Kelp's setConfig tx was public for 381 days. No integrator caught it because DVN thresholds aren't what auditors audit. Treat the bridge's ULN config as a first-class dependency: versioned, diff-tracked, and alerting on change — the same way you'd track an oracle feed source or a multisig signer set.

3. 2-of-3 is the floor, not the ceiling. LayerZero's own integrator checklist calls for redundancy, and the industry standard is 2-of-3. Kelp shipped 17 source-chain routes at 1-of-1. Any OFT or bridge operator using a single DVN for any route should treat that as a sev-1 config bug, not a deployment convenience.

4. Risk parameters on cross-chain collateral have to account for the bridge's integrity. Between Jan 19 (rsETH LTV → 93%), Apr 6 (Chaos Labs exits), and Apr 9 (LlamaRisk raises the rsETH supply cap), Aave's exposure to this exact attack grew in three discrete steps, each reasonable in isolation on market data alone. LTV, supply cap, and E-Mode parameters for a cross-chain asset are also bets on the bridge's DVN configuration — and have to be priced that way.

5. Treat cross-chain collateral whitelisting as a config-review task, not a market-risk task. The decision to accept rsETH wasn't wrong because of price volatility or correlation; it was wrong because the issuing bridge ran 17 source-chain routes at 1-of-1. That question isn't answerable from a risk dashboard. It's answerable from an Etherscan read. Lending protocols onboarding OFT or native cross-chain tokens should add a mandatory config-review gate to the listing checklist — and re-run it when the issuer ships new routes.

Current Status

As of 2026-04-20:

• Kelp's rsETH OFT is paused on Ethereum; the pauseAll tx landed 46 minutes after the drain and blocked two follow-up attempts
• LayerZero has attributed the attack to DPRK's Lazarus Group (TraderTraitor) in its April 20 statement
• Aave's Guardian has frozen the rsETH market on V3 Core and the V4 Kelp-E spoke
• ~$196M in unbacked WETH liabilities sit on Aave's Ethereum deployment; Umbrella ($80–100M) can't cover it alone
• Aave governance is debating a bad-debt waterfall — aWETH Umbrella slash first, WETH supplier socialization next, stkAAVE slashing contingent on vote, DAO-treasury repayment currently the favored path
• ~$266M in consolidated ETH sits across two attacker hub wallets and has not moved since
• No post-mortem from Kelp yet; LlamaRisk has stated Aave's other pools remain fully operational

Don't Wait for the Post-Mortem

Sentinel catches exactly the class of issue Kelp shipped: deployment-time misconfigurations that are invisible to code-level audits. A Sentinel review of Kelp's OFT would have flagged every 1-of-1 DVN route before production traffic hit the bridge.

Tripwire monitors the same surface post-deployment: DVN threshold changes on OFT bridges, multisig signer rotations, oracle path modifications, admin-role transfers, and privileged configuration calls across your deployed contracts and their dependencies. Alerts in seconds via Slack, Telegram, or email. Automated circuit breakers that don't wait for a war room.

Audits tell you the code was safe at review time. Sentinel tells you the config is safe at launch. Tripwire tells you the config is still safe right now.

If you're running a lending protocol that accepts cross-chain collateral, or operating a bridge that issues OFTs, talk to us.

Forensic Appendix: Addresses and Transactions

All addresses and hashes below resolve on-chain. Sources reconciled from Blockaid, defiprime, Aave governance, and LayerZero's official statement.

Contracts

Key transactions

DVN configuration pattern across every Kelp source-chain route (as of 2026-04-20):

Notes. The 20 UlnConfigSet events against Kelp's OFT adapter span block 19,830,526 (2024-05-09) through block 24,784,877 (2026-04-01) — the most recent 1-of-1 config was installed 17 days before the hack. The current effective config for each source eid is readable by calling ReceiveUln302.getAppUlnConfig(0x85d456…98Ef3, <eid>) on 0xc02Ab410…024C2.

On the attacker wallet conflict between Blockaid and defiprime. Both writeups are correct — they observed different phases of the attack. 0x8B1b6c9A6DB1304000412dd21Ae6A70a82d60D3b (defiprime) is the drain recipient, per the rsETH Transfer log in 0x1ae232da…4222. 0x1F4C1c2e610f089D6914c4448E6F21Cb0db3adeF (Blockaid) signed the Aave V3 collateral supply and the subsequent borrow. Sibling wallets in a coordinated operation.

Frequently Asked Questions

How was Kelp DAO hacked?

Kelp's rsETH OFT bridge was configured to accept cross-chain messages verified by a single LayerZero DVN (a 1-of-1 configuration, versus the industry-standard 2-of-3). Attackers compromised that single verifier by replacing its binary on two RPC nodes and DDoS'ing the rest, getting the verifier to sign a forged cross-chain packet. When lzReceive fired on Ethereum, Kelp's OFT adapter released 116,500 rsETH to the attacker without any corresponding burn on a source chain. No smart contract bug was exploited — it was a configuration failure.

How much was stolen from Kelp DAO?

116,500 rsETH, worth approximately $292 million at the time of the drain (roughly 18% of rsETH's circulating supply). The attacker then supplied the unbacked rsETH to Aave V3 as collateral and borrowed about $266 million in real ETH against it before Kelp's emergency pause blocked further attempts.

Who hacked Kelp DAO?

In its April 20 incident statement, LayerZero attributed the attack to DPRK's Lazarus Group, specifically the TraderTraitor subunit — the same threat actor the FBI attributed to the $1.5B Bybit hack in February 2025.

Is Aave going to socialize the loss?

Aave is holding roughly $196M in unbacked WETH liabilities on Ethereum and the Umbrella safety module only covers ~$80-100M. The rsETH incident governance thread is debating a waterfall: aWETH Umbrella stakers absorb the first slash automatically, remaining WETH suppliers take any socialized residual, stkAAVE slashing is on the table if governance votes for it, and a DAO-treasury repayment is the currently favored path.

What is a DVN, an OFT, and an OApp — and why does the 1-of-1 config matter?

Three terms do most of the work on LayerZero:

• OApp (Omnichain Application) — any contract that sends or receives cross-chain messages through LayerZero. Kelp's rsETH bridge contract is an OApp.
• OFT (Omnichain Fungible Token) — a standardized OApp for tokens that mint on destination chains and burn on source chains (or lock/release, in the "adapter" variant Kelp uses on Ethereum).
• DVN (Decentralized Verifier Network) — an independent party that verifies a cross-chain message actually originated on the source chain. OApps configure a set of required and optional DVNs plus a threshold — e.g. "2 of 3 of these DVNs must sign before the message is accepted."

A 1-of-1 config means a single DVN's compromise is sufficient to forge a message into the OApp. LayerZero's own integrator checklist recommends redundancy; the industry standard is 2-of-3 with diverse DVN providers. Kelp ran 1-of-1 across 17 of 18 source-chain routes.

Could this have been prevented?

Yes, in two places. First, at Kelp's deployment: a pre-launch config review would have caught every 1-of-1 DVN route before production traffic hit the bridge. Second, at downstream integrators (Aave, Morpho, any lending protocol whitelisting rsETH as collateral): the setConfig tx that installed the Unichain route was public on-chain for 381 days. Any integrator reading the OFT's ULN config before accepting rsETH as collateral would have seen the 1-of-1 threshold and declined or capped exposure accordingly. The data was there both times. What was missing was a process that read it before signing a listing proposal or trusting an OFT bridge.

Sources

Primary sources

1. LayerZero — KelpDAO Incident Statement (official)
2. Aave Governance — rsETH incident thread, 2026-04-18
3. Aave Governance — LlamaRisk rsETH supply cap proposal, 2026-04-09
4. Aave Docs — Umbrella safety module

Technical / forensic analysis

5. Blockaid — How a Single LayerZero DVN Compromise Drained $292M from KelpDAO
6. defiprime — The KelpDAO rsETH Exploit: $292M Minted From a 1-of-1 Bridge
7. Innora.ai — Kelp DAO LayerZero Bridge Exploit: On-Chain Forensic Analysis

News coverage

8. CoinDesk — Aave records $6B TVL drop as Kelp hack exposes structural risk
9. CoinDesk — LayerZero blames Kelp's setup for $290M exploit, attributes it to Lazarus
10. The Block — LayerZero says DPRK's Lazarus likely behind Kelp DAO exploit
11. The Defiant — Kelp DAO Loses $293M; Aave With Over $200M in Bad Debt
12. Crypto Briefing — AAVE TVL plummets $6B after Kelp DAO hack
13. Phemex — Aave Lost $6.6B in TVL After Kelp Exploit: Bad Debt Crisis
14. CoinDesk — Aave loses key risk manager Chaos Labs

Context

15. Cyfrin — Inside the $223M Cetus Exploit
16. FBI IC3 — PSA on Bybit Theft

Disclosure: SigIntZero has no commercial relationship with Kelp DAO, LayerZero, Aave, or any restaking protocol mentioned in this article.