Kelp DAO to Move rsETH to Chainlink CCIP After $292M Exploit

Kelp DAO announced it will migrate its rsETH restaking token to Chainlink’s Cross-Chain Interoperability Protocol (CCIP) after an April 18 exploit that transferred 116,500 rsETH from a LayerZero-powered bridge. Kelp estimates the stolen tokens at roughly $292 million and posted on X that the migration is intended to secure rsETH.

The attackers moved the stolen rsETH into Aave v3 as collateral to borrow wrapped Ether, creating further exposure in the decentralized lending market. Kelp reported the asset movements publicly and said remedial work and investigations are ongoing.

LayerZero published a postmortem after the attack, attributing the breach to an inadequate configuration of Kelp’s decentralized verifier network (DVN). LayerZero argued the setup relied on a single verifier rather than multiple independent verifiers to validate cross-chain messages and said it had advised against single-verifier configurations. The company added it will no longer validate cross-chain messages for apps that depend on a single verifier and that it is migrating affected protocols to multi-DVN setups.

Kelp disputed LayerZero’s account. The protocol wrote that a 1/1 DVN configuration is the default and that many other projects use a single verifier. Kelp said it had communicated with LayerZero since January 2024 and that DVN configurations were confirmed as secure during those discussions. Kelp also cited analytics data indicating roughly half of LayerZero users run a single verifier.

LayerZero co-founder and CEO Bryan Pellegrino pushed back in a reply on X, calling many of Kelp’s claims “just completely untrue.” Pellegrino wrote that rsETH was originally set to LayerZero’s default multi-DVN configuration and that the project later manually changed to a 1/1 setup, which LayerZero does not recommend for production. He added that the defaults referenced by Kelp were multiDVN or DeadDVN and that an external postmortem by security firms will be published soon.

Security researchers have linked the Kelp breach to other large incidents this month and some reports point to North Korea-aligned hacker groups as suspects. Analysts have noted similarities to an April 1 exploit of the decentralized exchange Drift that resulted in about $285 million in losses. Investigations into attribution and the flow of stolen funds remain active.

Kelp’s migration will replace LayerZero’s cross-chain messaging with Chainlink CCIP, which uses a different set of validators and oracle services for message routing and token transfers. Kelp said the change will be implemented while the protocol and external teams continue forensic analysis and remedial actions.