On May 26, Kelp DAO, an Ethereum liquid restaking protocol, confirmed on X that the operational portion of the rsETH recovery plan has been officially completed. The final batch of 20,373.70 rsETH has been sent to the LayerZero smart contract. The minting, redemption, and rewards operations for rsETH have all been confirmed to be running normally, ending the impact of the attack by the North Korea–linked hacker group Lazarus Group.
Attack mechanism: how the LayerZero 1/1 DVN single-verifier flaw was exploited
Kelp DAO’s rsETH cross-chain bridging system uses the LayerZero protocol configured with a 1/1 DVN (decentralized verification network), requiring only a single verifier to confirm transactions. Lazarus Group exploited this single point of failure design: the attackers compromised two RPC nodes that provided data to the protocol’s verification party, and simultaneously launched DDoS attacks against the legitimate RPC endpoints, forcing the bridging system to rely on nodes that had already been compromised. Using this method, the attackers forged cross-chain messages and tricked the Ethereum contract on the source chain into releasing 116,500 rsETH without legitimate burning. LayerZero previously warned about the security risks of a 1/1 DVN configuration.
After detecting the attack, Kelp DAO immediately paused the rsETH contract and added the attacker’s wallet to a blacklist, blocking attempts to steal an additional 40,000 rsETH. The Arbitrum security committee froze about 30,766 ETH associated with the attacker (about $71 million), but Lazarus Group has since been suspected of transferring $175 million worth of ETH to new addresses.
Confirmed five-week recovery timeline
April 18: The Lazarus Group attack occurred; 116,500 rsETH was stolen (about $293 million); Kelp DAO paused the rsETH contract to prevent a second attack
May 13: The first batch of 25,000 rsETH transfers were completed; the rsETH bridge between the Ethereum mainnet and Layer 2 was reopened
May 14: The rsETH withdrawal functionality was reopened
May 26: The final batch of 20,373.7 rsETH was sent to the LayerZero smart contract; Kelp DAO confirmed the recovery plan’s operational portion was officially completed; rsETH minting, redemption, and rewards operations are all running normally
FAQ
What was the mechanism behind the Kelp DAO attack causing $190 million in bad debt to Aave?
The attackers used the LayerZero bridging vulnerability at no cost to obtain 116,500 rsETH, then deposited this “zero-cost” rsETH as collateral into the Aave lending platform and borrowed large amounts of wETH (tokenized, wrapped Ethereum). After Kelp DAO paused the rsETH contract, questions arose about the market value and redeemability of rsETH. Large liquidity providers began withdrawing from Aave, and the rsETH collateral deposited by the attacker effectively became unrecoverable bad debt. The $190 million bad debt directly dragged down Aave’s TVL, triggering broader liquidity panic. After the incident, Aave TVL fell from $26.4 billion to below $14.0 billion, losing its status as the DeFi protocol with the largest TVL globally.
How did the DeFi United initiative provide funding for rsETH recovery, and what was the mechanism of multiple protocols jointly injecting funds?
DeFi United is a coordinated emergency initiative involving multiple DeFi protocols. During this recovery, it coordinated funding injections from multiple protocols to make up the funding shortfall needed for Kelp DAO to fully support rsETH on-chain. A complete list of specific funding sources and the contribution proportions from each protocol have not been disclosed in detail in Kelp DAO’s public statements. This cross-protocol funding coordination model is similar to the industry’s joint emergency response mechanism that emerged after the Euler Finance and other DeFi protocol attacks, reflecting a new practice in the DeFi ecosystem: responding to major hacker attacks in a decentralized way.
What background data are available for the DeFi attack wave in April 2026?
Data from DefiLlama and on-chain security monitoring entities confirmed that in April 2026 there were 25 cryptocurrency hacking incidents, with total losses of about $630 million—making it the worst month by losses since February 2025, when Bybit was hacked ($150 million, a single-hack record). Kelp DAO’s $293 million is the largest single DeFi vulnerability as of 2026 to date. DefiLlama’s lifetime data shows that over the past decade, crypto hackers have stolen more than $17 billion in total. Cross-chain bridging vulnerabilities have accounted for a core share of major attacks up to 2026 (including cases such as Kelp DAO, Map Protocol Butter Bridge, and Verus Bridge).
