Following the April 18 exploit that resulted in a loss of 116,500 rsETH, worth approximately $292 million, KelpDAO has decided to migrate its rsETH bridge infrastructure from LayerZero to Chainlink CCIP.

Deeper issues with validator design, bridge verification models, and the hidden dangers within cross-chain messaging systems were revealed by the attack, which was later connected to North Korea's Lazarus Group.

As KelpDAO and LayerZero openly dispute how the breach actually occurred and who was responsible for the flawed security assumptions, what initially appeared to be a single exploit has now evolved into one of the most significant infrastructure disputes in DeFi.

• How the rsETH Exploit Bypassed LayerZero’s Verification System
• The Public Conflict Between KelpDAO & LayerZero
• Why KelpDAO Is Migrating rsETH to Chainlink CCIP
• How DeFi Protocols Coordinated to Stabilize rsETH

How the rsETH Exploit Bypassed LayerZero’s Verification System

The attack on April 18 was not caused by an issue in rsETH's smart contracts. Rather, the vulnerability focused on the bridge communication layer, which is in charge of verifying cross-chain messages across networks.

Investigations related to the incident indicate that attackers gained access to LayerZero Labs' Decentralised Verifier Network (DVN) infrastructure. Through altering validator communication and poisoning RPC endpoints, the attackers were able to create a LayerZero message that looked authentic on-chain. 116,500 rsETH was unlocked and depleted from the bridge system after the message passed verification.

Because the stolen rsETH was transferred into Aave v3 as collateral to borrow wrapped Ether, the exploit swiftly became a more widespread DeFi risk event. As a result, lending markets that were exposed to rsETH-backed holdings experienced acute liquidation pressure and systemic concerns.

As we covered in our blog, KelpDAO Exploit Triggers $290M Crisis Across DeFi, the event quickly progressed beyond a bridge attack and started to impact numerous protocols of interconnected DeFi liquidity systems.

The attack was ultimately linked by investigators to infrastructure strategies frequently used by North Korea's Lazarus Group. According to reports, the attackers redirected network requests toward hijacked servers by manipulating verification traffic, switching node binaries, and launching DDoS attacks.

Because the breakdown happened outside of the conventional smart contract layer, the attack became extremely concerning. Instead, the attack took advantage of verifier trust models and off-chain infrastructure dependability assumptions that many protocols assumed to be operationally secure by default.

The Public Conflict Between KelpDAO & LayerZero

LayerZero and KelpDAO got into a public argument about who was responsible for the breach shortly after the exploit.

According to LayerZero, KelpDAO had built up its bridge using a "1-of-1" DVN configuration, which meant that cross-chain transactions could be verified with just one verification path. LayerZero claims the configuration failed to adhere to suggested production-level requirements and greatly undermined security promises.

KelpDAO vehemently denied the allegation. According to the protocol, its integration adhered to the official templates, defaults, onboarding documentation, and direct implementation advice supplied by LayerZero throughout the course of almost 2.5 years of cooperation.

Additionally, KelpDAO cited independent studies that suggested the main cause of the problem might not have been solely the protocol's selected configuration model, but rather the compromised verification infrastructure itself.

After KelpDAO released data showing that approximately 47% of LayerZero contracts in operation within a recent 90-day period employed similarly constructed DVN setups worth billions of dollars, the dispute grew more heated. The notion that KelpDAO had implemented a particularly careless architecture was undermined by that detail.

Later, Bryan Pellegrino, CEO of LayerZero, asserted that KelpDAO had manually changed its settings away from safer defaults. Following the breach, LayerZero also said that it will no longer allow single-verifier configurations going forward, indicating a more comprehensive shift in the company's approach to bridge security.

After the recent LayerZero exploit, we are taking steps to ensure rsETH is fully secure, which is why we are migrating to @chainlink CCIP.

From the April 18 incident, it is clear that LayerZero's own infrastructure was exploited, resulting in $300M in losses across DeFi.… https://t.co/beIrfZZLlh— Kelp (@KelpDAO) May 5, 2026