Share
On the morning of April 18, 2026, Kelp DAO’s engineers noticed something wrong with their rsETH bridge before LayerZero did. By the time contracts were paused, $292 million was gone.
Three weeks later, Kelp is rewriting its cross-chain architecture and pointing the finger directly at the infrastructure provider it trusted to keep it safe.
It has formally abandoned LayerZero, published a counter-narrative that implicates the bridge provider in its own failure, and handed Chainlink the keys to its cross-chain infrastructure.
After the recent LayerZero exploit, we are taking steps to ensure rsETH is fully secure, which is why we are migrating to @chainlink CCIP.
From the April 18 incident, it is clear that LayerZero's own infrastructure was exploited, resulting in $300M in losses across DeFi.… https://t.co/beIrfZZLlh
— Kelp (@KelpDAO) May 5, 2026
Lazarus Group, the North Korean state-sponsored hacking unit behind several of DeFi’s largest thefts, gained access to the list of RPC nodes used by the LayerZero Labs Decentralized Verifier Network, the off-chain component responsible for confirming that a cross-chain message is legitimate before releasing funds.
Attackers compromised two RPC nodes and swapped the software binaries running on them. They then launched a DDoS attack against the uncompromised nodes, forcing traffic to failover to the poisoned ones. The manipulated DVN then confirmed a fabricated burn transaction and released 116,500 rsETH from Kelp’s Ethereum-side bridge vault against nothing on the other side. Kelp’s team detected the breach first and paused contracts before two additional forged transactions totalling more than $100 million could be processed.
The Arbitrum Security Council later froze more than 30,000 ETH linked to the attacker’s downstream funds. North Korea terrorism creditors and the DeFi United recovery coalition are now competing in US federal court for control of the frozen $71 million.
LayerZero’s April 19 post-mortem framed the exploit as a Kelp configuration failure, specifically the decision to use a 1-of-1 DVN setup with LayerZero Labs as the sole verifier, a design it said directly contradicted its recommended multi-DVN model.
Kelp published a detailed counter-memo on May 6, 2026 rejecting that framing on three specific grounds:
Security researcher Sujith Somraaj, who previously audited LayerZero, said he submitted a bug bounty report identifying a similar flaw before the hack. LayerZero rejected it. LayerZero banned 1-of-1 configurations after the exploit. Kelp noted the policy arrived after the losses, not before.
Kelp announced on May 5, 2026, it is migrating rsETH from LayerZero’s Omnichain Fungible Token standard to Chainlink’s Cross-Chain Token standard, powered by Chainlink’s Cross-Chain Interoperability Protocol. Where LayerZero’s DVN relied on a single verifier that controlled confirmation from end to end, CCIP requires multiple independent oracle networks to approve every cross-chain transfer.
Each network uses a separate codebase, separate risk management infrastructure, and separate operators, meaning no single point of failure can release funds on its own. Chainlink Chief Business Officer Johann Eid confirmed the company is working directly with Kelp’s engineering team on the migration.
Excited to be working with the @KelpDAO team, DeFi will come out stronger and more secure than it's ever been https://t.co/6eGEvadj9X
— Johann Eid (@EidJohann) May 5, 2026
Chainlink cited a seven-year operating history with no loss of user funds and has processed over $30 trillion in cumulative value across its oracle infrastructure. New CCIP-compatible contracts are already visible in Kelp’s public repositories alongside the legacy LayerZero setup.
Share
preferred on
