On Saturday, ethereum-based protocol KelpDAO, known for liquid restaking, was exploited for $290 million, the largest hack of 2026 in the decentralized finance ecosystem.
“Preliminary indicators suggest attribution to a highly-sophisticated state actor, likely DPRK’s Lazarus Group,” LayerZero said in its statement explaining the attack. KelpDAO issues rsETH, while LayerZero provides network infrastructure that allows users to move KelpDAO’s rsETH between blockchains.
The configuration of KelpDAO’s exploited application, powered by LayerZero, relied on a single decentralized verifier network (DVN), responsible for verifying the integrity of cross-chain messages.
The industry best practice is for protocols to use a multi-DVN setup to prevent a unilateral point of trust or failure. “A properly hardened configuration would have required consensus across multiple independent DVNs, rendering this attack ineffective even in the event of any single DVN being compromised,” LayerZero stated, essentially placing the blame on the restaking protocol for using a single-DVN setup.
The exploiters executed an RPC-spoofing attack and performed DDoS attacks to manipulate the single DVN instance into confirming transactions “that never in fact took place.” The LayerZero team said, “Operating a single-point-of-failure configuration meant there was no independent verifier to catch and reject a forged message.”
Meanwhile, KelpDAO is preparing to dispute LayerZero’s account and place the blame on the latter, per a CoinDesk report.
Spilling over
The exploit has since impacted the wider crypto landscape.
The attackers successfully drained 116,500 rsETH from KelpDAO’s bridge, allowing them to deposit $249.7 million of the token to DeFi’s largest lending protocols and withdraw $228.2 million worth of different cryptocurrencies, wETH and wstETH, on-chain data from Arkham Intelligence shows.
Aave, the largest lending protocol, has frozen several markets and is now facing a liquidity crunch.
On Aave’s v3, the ETH, USDT, and USDC markets, which have a combined reserve size of $10.7 billion, have each reached a 100% utilization rate, as total borrowed equals total supplied. When borrows are maxed, users cannot withdraw their supplied liquidity.
The pseudonymous head of strategy at DeFi lending platform Spark, @MonetSupply, wrote on X, “There has been a ~$300 million increase in borrowing with USDT collateral in just the past day since the rsETH exploit.”
On-chain folks are spooked
The attack comes in the same month that Drift, a solana-based trading venue, suffered from an over $270 million hack. Saturday’s attack also follows worries stemming from Anthropic’s unreleased AI model Mythos, which “is capable of identifying and then exploiting zero-day vulnerabilities in every major operating system.”
Even though the major cryptocurrencies have not seen their prices move substantially in the last 24 hours, crypto participants have been spooked, evident by the capital exiting the decentralized finance ecosystem.
DeFi saw its total value locked decrease by $13 billion over the weekend to $85.64 billion at the time of writing, its lowest point since April last year, data from DefiLlama shows.
“OK — Kelpdao hacker, how much you want? Let’s just talk. With KelpDAO’s help, of course. It’s simply not worth it to sacrifice both Aave and KelpDAO and let them go down over this hack. You can’t spend $300 million anyway,” said Justin Sun, founder of the Tron blockchain, who has been beefing with the President Trump-backed World Liberty team.
