Following the April 18 exploit that resulted in a loss of 116,500 rsETH, worth approximately $292 million, KelpDAO has decided to migrate its rsETH bridge infrastructure from LayerZero to Chainlink CCIP.

Deeper issues with validator design, bridge verification models, and the hidden dangers within cross-chain messaging systems were revealed by the attack, which was later connected to North Korea's Lazarus Group.

As KelpDAO and LayerZero openly dispute how the breach actually occurred and who was responsible for the flawed security assumptions, what initially appeared to be a single exploit has now evolved into one of the most significant infrastructure disputes in DeFi.

• How the rsETH Exploit Bypassed LayerZero’s Verification System
• The Public Conflict Between KelpDAO & LayerZero
• Why KelpDAO Is Migrating rsETH to Chainlink CCIP
• How DeFi Protocols Coordinated to Stabilize rsETH

How the rsETH Exploit Bypassed LayerZero’s Verification System

The attack on April 18 was not caused by an issue in rsETH's smart contracts. Rather, the vulnerability focused on the bridge communication layer, which is in charge of verifying cross-chain messages across networks.

Investigations related to the incident indicate that attackers gained access to LayerZero Labs' Decentralised Verifier Network (DVN) infrastructure. Through altering validator communication and poisoning RPC endpoints, the attackers were able to create a LayerZero message that looked authentic on-chain. 116,500 rsETH was unlocked and depleted from the bridge system after the message passed verification.

Because the stolen rsETH was transferred into Aave v3 as collateral to borrow wrapped Ether, the exploit swiftly became a more widespread DeFi risk event. As a result, lending markets that were exposed to rsETH-backed holdings experienced acute liquidation pressure and systemic concerns.

As we covered in our blog, KelpDAO Exploit Triggers $290M Crisis Across DeFi, the event quickly progressed beyond a bridge attack and started to impact numerous protocols of interconnected DeFi liquidity systems.

The attack was ultimately linked by investigators to infrastructure strategies frequently used by North Korea's Lazarus Group. According to reports, the attackers redirected network requests toward hijacked servers by manipulating verification traffic, switching node binaries, and launching DDoS attacks.

Because the breakdown happened outside of the conventional smart contract layer, the attack became extremely concerning. Instead, the attack took advantage of verifier trust models and off-chain infrastructure dependability assumptions that many protocols assumed to be operationally secure by default.

The Public Conflict Between KelpDAO & LayerZero

LayerZero and KelpDAO got into a public argument about who was responsible for the breach shortly after the exploit.

According to LayerZero, KelpDAO had built up its bridge using a "1-of-1" DVN configuration, which meant that cross-chain transactions could be verified with just one verification path. LayerZero claims the configuration failed to adhere to suggested production-level requirements and greatly undermined security promises.

KelpDAO vehemently denied the allegation. According to the protocol, its integration adhered to the official templates, defaults, onboarding documentation, and direct implementation advice supplied by LayerZero throughout the course of almost 2.5 years of cooperation.

Additionally, KelpDAO cited independent studies that suggested the main cause of the problem might not have been solely the protocol's selected configuration model, but rather the compromised verification infrastructure itself.

After KelpDAO released data showing that approximately 47% of LayerZero contracts in operation within a recent 90-day period employed similarly constructed DVN setups worth billions of dollars, the dispute grew more heated. The notion that KelpDAO had implemented a particularly careless architecture was undermined by that detail.

Later, Bryan Pellegrino, CEO of LayerZero, asserted that KelpDAO had manually changed its settings away from safer defaults. Following the breach, LayerZero also said that it will no longer allow single-verifier configurations going forward, indicating a more comprehensive shift in the company's approach to bridge security.

After the recent LayerZero exploit, we are taking steps to ensure rsETH is fully secure, which is why we are migrating to @chainlink CCIP.

From the April 18 incident, it is clear that LayerZero's own infrastructure was exploited, resulting in $300M in losses across DeFi.… https://t.co/beIrfZZLlh

— Kelp (@KelpDAO) May 5, 2026

Why KelpDAO Is Migrating rsETH to Chainlink CCIP

The migration of rsETH from LayerZero's OFT infrastructure to Chainlink's Cross-Chain Interoperability Protocol (CCIP) was formally confirmed by KelpDAO on May 5.

The choice was not presented as a standard technical improvement. Rather, KelpDAO explained that the migration was a direct reaction to the exploit and an essential step in strengthening bridge-level security assumptions following infrastructure failure in actual attack scenarios.

Chainlink CCIP divides duties among several separate oracle and validation systems, in contrast to the prior architecture, where verification mostly depended on the DVN configuration surrounding LayerZero messages.

Separate execution layers, decentralised committing networks, and an extra Risk Management Network created especially to identify questionable cross-chain activity before execution finalisation comprise the protocol's structure.

KelpDAO's decision to switch infrastructure providers following the exploit was largely influenced by this tiered design.

As we covered in our previous article, Chainlink's Cross-Chain Interoperability Protocol Goes Live on Multiple Mainnets, CCIP was created with the express purpose of minimising single-point verification dependencies, which have frequently turned into attack vectors inside bridge architecture.

The fact that KelpDAO is now the first significant DeFi protocol to abandon LayerZero infrastructure following a widespread public exploit makes the shift symbolically significant for the industry as a whole.

Cross-chain providers are now under further pressure to demonstrate not only the security of smart contracts but also the robustness of their off-chain verification assumptions, infrastructure routing, and validator coordination systems.

How DeFi Protocols Coordinated to Stabilize rsETH

The exploit turned into an actual systemic risk issue for DeFi markets once the stolen rsETH entered Aave as collateral.

In order to stop cascading insolvencies linked to leveraged rsETH exposure, protocols around the ecosystem acted swiftly. In order to control contagion risks and stabilise liquidity conditions, several procedures briefly halted rsETH-related activities while Aave coordinated emergency risk actions.

Later on, recovery coordination went beyond just stabilising the market right away.

Several DeFi members coordinated emergency governance measures, recovery planning, and collateral management initiatives to lessen the exploit's broader impact on interconnected lending systems, as we covered in our blog, DeFi Unites After KelpDAO $292M Hack.

Efforts related to frozen assets related to the exploit were also part of the recovery process. Later, governance talks centred on how recovered liquidity and trapped collateral may be leveraged to promote rsETH repayment flows and stabilisation.

If you find any issues in this article or notice missing information, please feel free to reach out at team@etherworld.co for clarifications or updates.

To promote your Web3 articles, events, and projects, you may reach out anytime via EtherWorld PR for submissions and collaboration.

Related Articles

1. Golem Foundation Joins Aave-Led rsETH Recovery Effort
2. EtherFi Migrates to OP Mainnet With $220M TVL
3. Arbitrum Freezes 30,766 ETH Linked to KelpDAO Exploit
   
4. Gnosis & Zisk Launch Ethereum Economic Zone
5. Aave to Release 30,765 ETH for rsETH Recovery Moves to Vote

To follow blockchain news, track Ethereum protocol progress, and read our latest stories, subscribe to our weekly today.