Kelp DAO rsETH — LayerZero 1/1 DVN Forged Cross-chain Message — April 18, 2026
>10
victims identified on this incident
Are you a victim? → Join the group (coming soon)
Facts and investigation
FreeAttacker: Cluster of 9 EOAs (1 primary receiver + 8 cash-out nodes) on Ethereum + Arbitrum; compromised OFT Adapter: 0x85d456b2dff1fd8245387c0bfb64dfb700e98ef3
Funds moved to: 116,500 rsETH (~$292M, ~18% of supply) minted without backing on Ethereum. Used as collateral on Aave V3 to borrow ~$236M WETH (LTV ~99%). At T+9h: 75,700 ETH on Ethereum hub + 30,765 ETH on Arbitrum hub. Partial recovery via Arbitrum Security Council freeze. Attributed to TraderTraitor / Lazarus Group (Mandiant, CrowdStrike).
Cluster of 9 cross-chain EOAs (1 receiver + 8 cash-out). Pre-attack staging from Tornado Cash 0.1 ETH pool. Aave froze rsETH markets V3+V4. SparkLend, Fluid also frozen. Arbitrum Security Council partial freeze 3 days later.
Timeline: On 6 March 2026, the attacker used social engineering on a LayerZero Labs developer to obtain session keys. The internal RPC nodes used by LayerZero Labs DVN were compromised (op-geth binaries replaced, self-destruct modifications programmed). On 18 April 2026 at 17:35:35 UTC (Ethereum block 24,908,285): a DDoS was launched on the external RPC node used by the DVN, forcing failover to the 2 compromised internal nodes. The poisoned nodes sent forged data to the DVN, creating a valid attestation for a forged cross-chain message. The OFT Adapter contract (0x85d456b2dff1fd8245387c0bfb64dfb700e98ef3) on Ethereum released 116,500 rsETH (~$292M) to the attacker. 1-of-1 DVN configuration on Kelp rsETH (Kelp claims LayerZero approved this setup, LayerZero contradicts in its 19 April post-mortem). At 18:21 UTC (T+46min), Kelp paused core contracts via emergency multisig. At 18:26 and 18:28 UTC: 2 additional attempts (40,000 rsETH each, ~$100M) reverted. 116,500 rsETH deposited on Aave V3 as collateral, borrowing ~$236M WETH (LTV 99%). Aave, SparkLend, Fluid froze rsETH markets. Around 21 April 2026, Arbitrum Security Council froze a significant portion of downstream attacker funds. On 5 May 2026, Kelp migrated rsETH off LayerZero OFT to Chainlink CCIP. On 9 May 2026, LayerZero acknowledged 'we made a mistake' allowing 1-of-1 DVN. On 20 May 2026, LayerZero published the complete post-mortem with Mandiant + CrowdStrike attributing to TraderTraitor (UNC4899) / Lazarus. Largest DeFi loss of 2026.
Sources and coverage
Free- Articlecoindesk.comhttps://www.coindesk.com/tech/2026/04/19/2026-s-biggest-crypto-exploit-kelp-dao-hit-for-usd292-million-with-wrapped-ether-stranded-across-20-chains
- Articlechainalysis.comhttps://www.chainalysis.com/blog/kelpdao-bridge-exploit-april-2026/
- Articleinnora.aihttps://innora.ai/blog/kelp-dao-layerzero-292m-exploit-forensic-analysis
- Articlecoindesk.comhttps://www.coindesk.com/tech/2026/05/09/layerzero-says-it-made-a-mistake-in-usd292-million-kelp-exploit
- Articlecryptotimes.iohttps://www.cryptotimes.io/2026/05/20/layerzero-details-single-verifier-flaw-behind-292m-kelpdao-exploit/
- Articledefiprime.comhttps://defiprime.com/kelpdao-rseth-exploit
- Articleccn.comhttps://www.ccn.com/education/crypto/kelp-dao-rseth-292m-hack-aave-liquidity-crisis-explained/
- Articlecrypto.newshttps://crypto.news/layerzero-details-292m-kelpdao-exploit-and-tightens-bridge-security/
Victim testimonies
FreeNo testimonies yet.
+ Add my testimony → (coming soon)