Add TechGaged as your preferred source on Google

See more TechGaged stories across Google News and Discover.

Add

On April 18, 2026, an attacker sent a forged message to Kelp DAO’s LayerZero-powered cross-chain bridge. The bridge accepted it as legitimate and released 116,500 rsETH — worth roughly $293 million and 18% of the token’s entire circulating supply — conjured out of thin air.

The stolen rsETH was never sold. Instead, it was deposited into Aave V3 and V4 as collateral to borrow over $236 million in real WETH.

Within 46 minutes, Kelp’s emergency multisig froze its contracts, but the damage had already cascaded across lending protocols.

Who Was Really at Fault?

No code was exploited. The root cause was Kelp’s “1-of-1” DVN (Decentralized Verifier Network) configuration, which required only a single validator node to approve cross-chain messages.

That node was compromised. As Ledger’s CTO noted, a single-signer architecture allowed one forged signature to mint hundreds of millions in unbacked tokens.

The attacker was later identified by LayerZero as North Korea’s Lazarus Group, which poisoned the network’s RPC infrastructure.

Why This Is a Wake-Up Call for LayerZero Users

This incident is a stark warning for any protocol relying on LayerZero — and for the users who trust them.

LayerZero’s security is only as strong as the configuration choices of each application.

Kelp chose the most permissive setting, and $293 million vanished in under an hour.

Many whales have already rushed to withdraw their $ETH from Aave. Users can no longer assume that “powered by LayerZero” means safe.

LayerZero has since suspended support for 1-of-1 configurations and is urging all single-DVN applications to migrate to multi-DVN architectures immediately.

For DeFi users, the lesson is clear: before depositing funds into any bridge-linked protocol, demand to know its verification thresholds.

A 2-of-3 or 5-of-9 setup offers redundancy that a single compromised node cannot bypass.

So here’s the question that should keep every DeFi user awake tonight: if a single validator node was enough to steal $293 million in 46 minutes, how many other protocols are still running on the same fragile configuration — and how long before the next domino falls?

Disclaimer:
This article is for informational purposes only and does not constitute financial, investment, or trading advice. The views expressed are based on publicly available data, market observations, and the author’s interpretation at the time of writing. Cryptocurrency markets are highly volatile and unpredictable, and past performance or current technical setups do not guarantee future results. Readers should conduct their own research and consult with a qualified financial advisor before making any investment decisions. TechGaged does not accept liability for any losses incurred based on the information presented.