KelpDAO’s $290 million rsETH exploit has moved into a new phase, with LayerZero and Aave now publicly outlining how the incident unfolded, why the damage appears contained, and what it could mean for crypto cross-chain security standards going forward.
The central claim from LayerZero is that the exploit was not a failure of the protocol itself, but the result of KelpDAO’s decision to run rsETH with a single-DVN configuration. That matters because the latest statements shift the market narrative away from generalized contagion risk across LayerZero-integrated assets and toward a narrower question: how much risk was concentrated in one application’s security design.
LayerZero Links KelpDAO Crypto Exploit To RPC Attack
In an incident statement from April 20, LayerZero said the April 18 attack targeted KelpDAO’s rsETH setup and was “isolated entirely to KelpDAO’s rsETH configuration as a direct consequence of their single-DVN setup.” The company added that it had conducted “a comprehensive review of active integrations” and could confirm “with confidence that there is zero contagion to any other asset or application.”
LayerZero framed the episode as a state-linked crypto infrastructure attack rather than a protocol exploit. According to the statement, “preliminary indicators suggest attribution to a highly-sophisticated state actor, likely DPRK’s Lazarus Group, more specifically TraderTraitor.”
It said the attack did not compromise the protocol, key management, or the DVN instances directly. Instead, the attacker allegedly poisoned downstream RPC infrastructure used by the LayerZero Labs DVN, swapped binaries on compromised op-geth nodes, and then used DDoS pressure on uncompromised RPCs to force failover toward the poisoned infrastructure.
That sequence is central to LayerZero’s argument. “Because of our least-privilege principles, they were unable to compromise the actual DVN instances,” the company wrote. “However, they used this pivot point to execute an RPC-spoofing attack.
Their malicious node used a custom payload designed explicitly to forge a message to the DVN with minimal warnings.” LayerZero said the manipulated node presented false data only to the DVN while returning truthful responses to other IPs, including its own monitoring infrastructure, in what it described as a deliberately stealthy effort to avoid detection.
Even so, LayerZero argues the exploit should have been stopped at the application layer had rsETH not relied on a 1-of-1 verifier setup. “The affected application was rsETH, issued by KelpDAO,” the statement said. “Their OApp configuration at the time of this incident relied on a 1-of-1 DVN setup, with LayerZero Labs as the sole verifier — a configuration that directly contradicts the multi-DVN redundancy model that LayerZero has consistently recommended to all integration partners.”
It added that “a properly hardened configuration would have required consensus across multiple independent DVNs, rendering this attack ineffective even in the event of any single DVN being compromised.”
The company said its DVN is live again, that affected RPC nodes have been deprecated and replaced, and that it will no longer sign or attest messages for applications using a 1/1 configuration. It also said it is working with law enforcement and industry partners, including Seal911, to track funds.
Aave said in an X update on late The protocol said its analysis shows “rsETH on Ethereum mainnet is fully backed,” but added that “out of an abundance of caution, rsETH remains frozen across Aave V3 and V4 and exposure to the incident is capped.” WETH reserves also remain frozen across the affected markets on Ethereum, Arbitrum, Base, Mantle, and Linea while the team continues to validate information and assess possible resolutions.
At press time, the total crypto market cap stood at $2.5 trillion.
