The $290 Million DeFi Crisis: Decoding the KelpDAO and LayerZero Exploit

Quick Summary

The decentralized finance (DeFi) world is reeling after a massive $290 million exploit targeted KelpDAO and its LayerZero-based bridge protocol. Preliminary investigations link the attack to the North Korean-backed Lazarus Group, which reportedly used a sophisticated “RPC poisoning” technique to trick the system into releasing funds. This event, the largest DeFi hack of 2026, has frozen lending markets, caused $15 billion in total value locked (TVL) to vanish, and ignited a fierce debate over the security of multi-signature systems.

What Happened?

On a Saturday that will be remembered as a dark day for DeFi, an attacker managed to drain 116,500 rsETH (KelpDAO’s liquid restaking token) from an Ethereum escrow account. The vulnerability lay in the way KelpDAO configured its LayerZero bridge. Unlike more secure setups that require multiple validators to sign off on a transaction, KelpDAO used a 1-of-1 configuration, relying solely on LayerZero Labs for verification.

The hackers did not break the code or steal private keys. Instead, they performed an “RPC poisoning” attack. By corrupting the nodes that the verifier used to check data, they fed the system fake information, making it believe a legitimate deposit had occurred on another chain. The bridge then released the tokens on Ethereum to the hacker, who immediately used them as collateral on lending platforms like Aave to borrow other assets, effectively cashing out before the alarm was raised.

Key Highlights

• Total Loss: Approximately $290 million drained in rsETH tokens.
• Methodology: RPC poisoning attack on a 1-of-1 DVN configuration; no smart contract bugs involved.
• Attribution: Lazarus Group (DPRK) is the primary suspect.
• Contagion: DeFi TVL dropped by $15 billion; Aave froze several markets to prevent further bad debt.
• Recovery Action: The Arbitrum Security Council took the controversial step of seizing $71 million of the stolen funds via an emergency contract upgrade.

Market Impact

The fallout has been catastrophic for liquidity. Aave, the largest lending protocol, saw its WETH (Wrapped Ethereum) utilization hit 100 percent, meaning there was no money left for users to withdraw as everyone tried to exit at once. About $8.45 billion left Aave in just two days.

Because the stolen rsETH was used to borrow real ETH and stablecoins, the protocol is now left with bad debt—collateral that isn’t worth as much as the money borrowed against it. This has forced major projects to pause their bridges and lending markets, leading to a general loss of confidence in liquid restaking tokens (LRTs).

Industry Perspective

This hack highlights a major structural flaw in modern DeFi. Many protocols claim to be decentralized, but in reality, they are controlled by a small number of people via a multi-signature wallet who have the power to upgrade contracts or freeze funds.

For beginners, Liquid Restaking is a way to earn extra yield on your Ethereum while still having a token (like rsETH) that you can use elsewhere. However, this hack shows that when you bridge these tokens across different blockchains, you are adding layers of risk. If the bridge fails, your liquid token might become worthless.

What’s Next?

The community is currently debating how to socialize the losses. There are two main scenarios: either everyone holding rsETH takes a 15 percent loss, or the losses are isolated only to those who held the token on Layer-2 networks, where the bridge failed. Aave is working with risk managers to secure external commitments to cover the debt, but the process is expected to be long and legally complex.

Final Thoughts

The KelpDAO exploit is a wake-up call for the entire industry. It proves that even without bugs in the code, infrastructure weaknesses can be just as deadly. As DeFi continues to grow, the focus must shift from chasing high yields to ensuring that the underlying plumbing of the crypto world—the bridges and verifiers—is truly resilient.