KelpDAO Switches to Chainlink CCIP After $292M LayerZero Exploit

TLDR:

• KelpDAO lost 116,500 rsETH in an April 18 exploit tied to North Korea’s Lazarus Group via LayerZero.
• LayerZero’s 1-of-1 DVN setup was used by 47% of OApp contracts, contradicting claims it was unique to Kelp.
• KelpDAO intervened to block $100M in additional forged transactions before pausing its bridge contracts.
• KelpDAO is now migrating to Chainlink CCIP, which has processed over $30 trillion in value over 7 years.

KelpDAO is migrating to Chainlink’s Cross-Chain Interoperability Protocol following a major exploit on April 18, 2026.

The attack, linked to North Korea’s Lazarus Group, targeted LayerZero’s infrastructure and drained 116,500 rsETH from KelpDAO’s bridge.

The total losses across DeFi protocols exceeded $300 million. KelpDAO has since disputed LayerZero’s framing of the incident, calling the infrastructure failure a systemic issue within LayerZero’s own operations.

The Attack and Its Impact on DeFi

The April 18 exploit originated within LayerZero Labs’ off-chain infrastructure. Attackers compromised two RPC nodes used by LayerZero’s DVN and launched a DDoS attack on the remaining nodes.

This forced DVN signers to validate a non-existent transaction, producing fake token burns and flooding markets with unbacked rsETH.

Aave and other DeFi platforms were among the protocols affected by the unbacked rsETH. Two additional forged transactions worth over $100 million were also signed by the LayerZero Labs DVN.

KelpDAO’s team intervened in time to pause contracts and block those transactions before further damage occurred.

KelpDAO also flagged the exploit to LayerZero directly, as the latter’s monitoring systems had not detected it. According to KelpDAO, LayerZero’s team appeared unaware of any issue when first contacted. This raised concerns about the reliability of LayerZero’s internal alerting processes.

The Dispute Over the 1-of-1 DVN Configuration

LayerZero attributed the exploit to KelpDAO’s use of a 1-of-1 DVN configuration, calling it a risky manual setup. KelpDAO pushed back firmly on this claim.

According to Dune Analytics data, 47% of roughly 2,665 LayerZero OApp contracts used the same 1-1 DVN setup at the time.

KelpDAO also shared Telegram exchanges showing LayerZero team members explicitly approving the 1-1 configuration during pre-deployment reviews. Over 2.5 years of integration discussions, LayerZero reportedly raised no objections to the setup.

KelpDAO followed LayerZero’s own documentation and quickstart guides, which defaulted to the 1-1 LayerZero Labs DVN configuration.

A post from @CatfishFishy on April 24 drew attention to a December 2024 statement from LayerZero’s Bryan, who claimed no applications were using the LayerZero DVN as a 1-1 setup.

At that point, rsETH already held roughly $200 million in TVL across L2 deployments under that exact configuration. Independent security researchers, including @banteg, also confirmed through public reports that the exploit originated from LayerZero’s own infrastructure, not from KelpDAO’s settings.

KelpDAO’s Migration to Chainlink CCIP

Following the exploit, KelpDAO announced a full transition away from LayerZero. The protocol is now moving to Chainlink’s Cross-Chain Interoperability Protocol and adopting Chainlink’s Cross-Chain Token standard for rsETH. The migration is currently being finalized by KelpDAO’s engineering team.

Chainlink’s decentralized oracle network has processed over $30 trillion in value across more than seven years of operation.

The network also remained functional during several major global outages, making it a more established option for cross-chain security.

KelpDAO stated that all rsETH cross-chain transfers will soon run through Chainlink CCIP across all supported chains.

After the exploit, LayerZero announced it would stop attesting messages for any app using a 1-1 DVN setup. KelpDAO noted that this policy change came only after the configuration had already caused hundreds of millions in losses.

The 1-1 configuration, however, reportedly still appears in LayerZero’s own documentation and default OFT deployment templates.