Kelp Blames LayerZero for $292M rsETH Hack, Migrates to Chainlink as Court Fight Grows

KelpDAO has formally accused LayerZero of approving the bridge configuration that led to the theft of approximately $292 million in rsETH (116,500 tokens) on April 18, 2026 — and announced it is migrating its rsETH liquid restaking token from LayerZero's OFT standard to Chainlink's CCIP protocol. LayerZero CEO Bryan Pellegrino has publicly disputed Kelp's account. Chainalysis attributed the attack to North Korea's Lazarus Group. A $71 million court case between the two protocols is ongoing, making this one of the most contentious security disputes in DeFi's recent history — combining a state-sponsored cyberattack, disputed infrastructure liability, and active litigation.

What Happened on April 18 — and How the Attack Worked

The April 18 exploit was not a smart contract vulnerability in the conventional sense. It was an attack on the off-chain infrastructure underlying KelpDAO's LayerZero bridge. LayerZero's security model depends on a network of Decentralized Verifier Nodes (DVNs) — independent validators that must attest to the authenticity of cross-chain messages before they are processed. The security guarantee scales with the number of independent DVNs required to sign off on each transaction: a configuration requiring attestation from, say, five independent DVNs across different organizations is vastly more resistant to compromise than one requiring a single DVN.

Kelp's bridge was running in a 1-of-1 DVN configuration — meaning a single verifier could authorize any cross-chain message. Lazarus Group identified this single point of failure, then executed a two-pronged attack: they compromised Kelp's internal RPC nodes to control the data being fed to the verifier, and simultaneously launched a DDoS attack against external backup nodes to prevent fallback verification. With the verifier feeding on compromised data and no external check available, the attackers minted 116,500 rsETH on the destination chain backed by nothing, draining the bridge entirely.

The attack required sophisticated social engineering and infrastructure access — Chainalysis notes that Lazarus Group operations of this type typically involve months of reconnaissance and credential gathering before execution. The April 18 date was the culmination of a longer operation, not an opportunistic exploit of a freshly discovered vulnerability.

The Blame Dispute: What Each Side Says

KelpDAO's position, published in a post-mortem on May 5, is that LayerZero explicitly reviewed and approved the 1-of-1 DVN configuration before the bridge went live. Kelp claims LayerZero's documentation and account team did not flag the single-DVN setup as inadequate for production use, and that the responsibility for the security failure therefore lies with LayerZero for signing off on an insecure architecture.

LayerZero CEO Bryan Pellegrino counters that Kelp originally deployed the bridge with LayerZero's default multi-DVN configuration — which would have provided the redundancy needed to prevent the attack — and subsequently changed the setup to 1-of-1 on its own initiative. Pellegrino has been explicit on social media that 1-of-1 DVN was not and is not recommended for production bridges managing significant liquidity. LayerZero's documentation warns that single-DVN configurations are appropriate for testing environments only.

The dispute matters legally because it determines who bears liability for the user losses. Kelp's migration to Chainlink CCIP, which requires transaction approval from multiple independent validators by design, implicitly concedes that multi-validator security is the correct standard — but Kelp's framing is that it should have been told this more forcefully before the bridge launched. The $71 million court case — separate from the total $292 million loss, likely covering an escrow or insurance pool — will test whether a bridge infrastructure provider can be held liable when a customer deploys a configuration the provider's documentation discourages.

What to Watch

The legal question will unfold over months, but the near-term technical signal to watch is how quickly the rsETH migration to Chainlink CCIP completes and whether affected users receive token continuity through the migration. Kelp has indicated that rsETH holders will not need to take action — the bridge infrastructure upgrade is being handled at the protocol level, not the token level. Watch also for LayerZero's response to the court filing: Pellegrino has been aggressive in public communications, which suggests LayerZero intends to fight the liability claim rather than settle. Finally, the broader DVN configuration audit matter: if Kelp was running a 1-of-1 setup in production, it is worth asking how many other LayerZero-powered bridges are doing the same. A proactive audit and public disclosure would be the responsible move from the LayerZero ecosystem and could come under regulatory pressure if it doesn't happen voluntarily.

Track every DeFi move and on-chain shift, first. Subscribe to the BlockAI News daily brief.

How we report: This article cites primary sources, regulatory filings, and on-chain data where available. BlockAI News uses AI tools to assist with research and first-draft generation; every article is reviewed and edited by a human editor before publication. Read our full How We Report page, Editorial Policy, AI Use Policy, and Corrections Policy.