The Blame Game: Who Was Really at Fault in the $290 Million Kelp DAO Exploit?

On April 18, 2026, the DeFi world was shaken by one of the largest exploits of the year. Attackers drained approximately 116,500 rsETH — worth around $290-293 million — from Kelp DAO’s cross-chain bridge powered by LayerZero. The incident involved a forged message that tricked the bridge into releasing unbacked rsETH without a corresponding burn on the source chain (Unichain). Kelp DAO quickly paused contracts and froze the recipient address, preventing a second packet that could have cost another $100 million. However, the stolen funds were used to borrow against on platforms like Aave, creating significant bad debt and triggering liquidity issues across DeFi.

The exploit centered on LayerZero’s cross-chain messaging infrastructure, specifically its Decentralized Verifier Network (DVN). Attackers, likely linked to North Korea’s Lazarus Group (TraderTraitor subgroup), compromised or poisoned RPC nodes used by LayerZero’s verifier. They launched a DDoS attack on backups to force failover to tainted infrastructure, allowing a fake message to pass verification and execute on Ethereum. This highlights sophisticated state-actor tactics targeting infrastructure rather than smart contract bugs.

A fierce blame game quickly erupted. LayerZero’s post-mortem placed primary responsibility on Kelp DAO for using a 1-of-1 DVN configuration — a single verifier setup that created a single point of failure. They argued Kelp ignored repeated warnings to upgrade to a multi-verifier (e.g., 2-of-3 or higher) setup for better security. Security firms like SlowMist described the 1/1 as the weakest possible level, essentially delegating all trust to one signing key.

Kelp DAO pushed back strongly. In statements and through sources, the protocol claimed the 1-of-1 setup was LayerZero’s own documented default for onboarding, especially during L2 expansions. They emphasized that the compromised verifier ran on LayerZero’s infrastructure, not Kelp’s custom code. The single verifier in question was operated by LayerZero Labs itself, and the attack exploited flaws in its RPC dependencies and failover mechanisms. Critics, including Chainlink’s Zach Rynes, accused LayerZero of “deflecting responsibility” by throwing Kelp under the bus for trusting the provider’s recommended defaults.

Ultimately, fault appears shared. Kelp DAO bears responsibility for not implementing stronger security despite the flexibility LayerZero offers — protocols can choose their own DVN thresholds, and a 1/1 is inherently risky for high-value bridges. However, LayerZero’s architecture allows such minimal configurations, and if defaults encouraged it, the infrastructure provider shares accountability for not enforcing minimum security standards or better protecting its own verifier nodes.

This incident exposes deeper issues in DeFi interoperability: reliance on trusted oracles and verifiers, the dangers of single points of failure, and how one bridge exploit can cascade into ecosystem-wide stress (with billions in withdrawals and potential losses on lending platforms). It serves as a stark reminder that “verified” cross-chain messages are only as strong as the weakest link in configuration and infrastructure.

As investigations continue and funds are traced (some frozen on Arbitrum), the community awaits clearer compensation plans. The Kelp DAO exploit is not just a hack story — it’s a cautionary tale about shared responsibility in decentralized systems. True security demands better defaults, enforced multi-verification, and less finger-pointing after disasters.

Disclaimer:

The information provided through this channel does not constitute financial advice and should not be construed as such. This content is for purely informational and educational purposes. Financial decisions should be based on a careful evaluation of your own circumstances and consultation with qualified financial professionals. The accuracy, completeness or timeliness of the information provided is not guaranteed, and any reliance on it is at your own risk. Additionally, financial markets are inherently volatile and can change rapidly. It is recommended that you conduct thorough research and seek professional advice before making significant financial decisions. We are not responsible for any loss, damage or consequences that may arise directly or indirectly from the use of this information.