LayerZero Blames Kelp's Single DVN Setup for $290M Exploit as Aave Bleeds $8.9B

Rebeca Moen Apr 20, 2026 11:03

LayerZero says Kelp ignored security advice, used single verifier setup enabling $290M hack. Aave TVL drops $8.9B as bad debt mounts and blame game intensifies.

LayerZero is pointing the finger squarely at Kelp DAO for Saturday's $290 million bridge exploit, claiming the restaking protocol ignored repeated warnings about its vulnerable security configuration. The fallout has already hammered Aave, which saw nearly $9 billion exit the protocol as bad debt concerns mount.

The interoperability protocol disclosed Monday that Kelp's rsETH bridge relied on a single Decentralized Verifier Network (DVN) as its only verification path—a setup LayerZero explicitly advised against. That single point of failure let attackers drain approximately 116,500 rsETH, worth $292-$293 million at the time.

"LayerZero and other external parties previously communicated best practices around DVN diversification to KelpDAO. Despite these recommendations, KelpDAO chose to utilize a 1/1 DVN configuration," the company stated.

Preliminary analysis suggests North Korea-linked threat actors orchestrated the attack, according to LayerZero. The Lazarus Group attribution aligns with the sophisticated nature of the exploit.

Aave Takes Collateral Damage

The exploit's ripple effects hit Aave hard. The attacker used stolen rsETH as collateral to borrow legitimate assets, leaving roughly $195 million in bad debt on the lending protocol. Aave's total value locked has plunged from approximately $26.4 billion to $17.5 billion—a 34% drop—as users rushed to withdraw funds.

Aave froze all rsETH on v3 and v4 immediately after the incident. The protocol's smart contracts weren't compromised, but that's cold comfort for depositors watching liquidity evaporate.

MoneySupply, head of strategy at competing protocol Spark, flagged a dangerous secondary risk: ETH liquidity on Aave has dropped so low that liquidations can't execute properly at 100% utilization. "A 15-20% ETHUSD price drop could cause significant bad debt accumulation," he warned Saturday.

The Blame Game Begins

With no recovery plan announced, the crypto community spent Monday debating who should eat the losses. The candidates: Kelp DAO, LayerZero, Aave, or rsETH holders themselves.

OneKey founder Yishi Wang proposed negotiating with the hacker—offer a 10-15% bounty, get most funds back. If that fails? "LayerZero's ecosystem fund should foot the bulk of the bill—it's got the deepest pockets and the most long-term skin in the game," he wrote, adding bluntly that Kelp DAO is "broke."

DeFiLlama founder 0xngmi outlined grimmer options: socialize losses across all users, effectively "rug rsETH holders on L2s," or attempt a pre-hack snapshot restoration—which he called "very hard to do."

LayerZero's Response

LayerZero is now mandating change. The protocol said it will stop signing or attesting messages for any application maintaining single-DVN configurations. All projects using 1/1 setups must migrate to multi-DVN architectures.

DVNs form the backbone of LayerZero's cross-chain security. The protocol operates across 80+ blockchains with 35 active DVNs, including providers like Google Cloud. Best practice calls for multiple independent verifiers checking each cross-chain message—exactly what Kelp didn't implement.

The CryptoEconomic DVN Framework, launched in October 2024 with Eigen Labs, was designed to prevent exactly this scenario by requiring verifiers to stake assets that can be slashed for malicious behavior. Whether Kelp's configuration would have survived under stricter requirements remains unclear.

Cointelegraph reached out to Aave for comment but received no response by publication. Kelp DAO hasn't announced any compensation or recovery timeline.

• layerzero
• kelp dao
• aave
• defi exploit
• rseth