Kelp DAO $292M Exploit Becomes 2026's Largest — LayerZero Points to North Korea's TraderTraitor Unit
A bridge misconfiguration dragged $13.2B out of DeFi in 48 hours. Now the two parties are blaming each other over who chose the single verifier.
What happened
On April 19, attackers drained approximately $292M in rsETH from Kelp DAO's bridge, making it the largest DeFi exploit of 2026. LayerZero said attackers compromised two RPC nodes the verifier relied on, then used a DDoS to force failover, tricking the bridge into approving a fraudulent cross-chain transaction.
Attribution: TraderTraitor / Lazarus
LayerZero attributed the attack with "preliminary confidence" to North Korea's Lazarus Group and its TraderTraitor subunit. TechCrunch, CoinDesk, and Bloomberg all carried the attribution on April 20.
Contagion: $13.21B DeFi TVL wipe
Aave lost $8.45B in deposits over 48 hours as users withdrew collateral; total DeFi TVL across chains fell from $99.5B to $86.3B — a $13.21B swing. AAVE fell 6% on the day.
The blame game
LayerZero said the incident stemmed from Kelp's decision to use a 1-of-1 verifier configuration despite prior warnings, and will stop signing messages for projects using that setup. Kelp retorted that LayerZero's own quickstart guide and default GitHub config specify exactly that 1/1 setup, and that 40% of LayerZero protocols currently use it.
BlockAI Take
This is less a smart-contract failure than a governance failure baked into "secure defaults." If 40% of LayerZero's surface area runs the same 1/1 verifier config Kelp used, the next exploit is a configuration change away, not a code audit away. Expect a flurry of "multi-verifier upgrade" announcements by week's end.
LayerZero
