KelpDAO Blames LayerZero for $300M rsETH Hack, Moves to CCIP

KelpDAO says a breach of LayerZero Labs’ infrastructure allowed attackers linked to the Lazarus Group to fraudulently mint and withdraw about $300 million in rsETH on April 18, 2026. The DAO announced it will migrate rsETH to Chainlink’s Cross-Chain Interoperability Protocol (CCIP).

According to KelpDAO, the exploit involved forged cross-chain messages after the attackers accessed LayerZero’s core systems. KelpDAO paused its contracts during the incident and reports that action prevented roughly $100 million in additional forged transactions from executing.

LayerZero’s post-mortem attributed the incident to a KelpDAO configuration that used a 1-of-1 decentralized verifier network (DVN) with LayerZero Labs as the sole validator. KelpDAO contests that account, saying LayerZero’s quickstart guides and default templates steered developers toward the same 1-1 setup.

KelpDAO pointed to on-chain analysis showing that about 47% of LayerZero-connected applications-more than 1,200 contracts-used the 1-1 DVN configuration. The DAO released screenshots it says are Telegram messages in which LayerZero staff repeatedly told Kelp that the default settings were acceptable. LayerZero acknowledged that attackers obtained the list of RPCs its DVN used, that two independent nodes were compromised and that binaries were replaced. KelpDAO noted that LayerZero later banned 1-1 DVN configurations.

Independent reviews cited by KelpDAO reported additional security gaps in default LayerZero deployments. Those reviews found public gateways exposed without protections such as web application firewalls or IP allowlists, and a default RPC quorum set low enough that a single poisoned node could allow a forged message to be signed. KelpDAO also criticized LayerZero’s monitoring for not detecting the intrusion.

KelpDAO said it will move rsETH from LayerZero’s OFT token standard to Chainlink’s CCIP and the Cross-Chain Token (CCT) standard. The DAO cited Chainlink’s longer operational history and its decentralized oracle network in explaining the change. KelpDAO wrote, “The simple truth: LayerZero blamed their users for an issue that was caused by their own infrastructure failure.”

In response to the incident, LayerZero has updated recommended configurations to disallow single-validator DVNs. Projects that used LayerZero quickstart templates are reviewing their security settings. Security firms and on-chain analysts are still tracing transaction flows and node compromise techniques, and chain-analysis work has linked the theft to the Lazarus Group with high confidence.

A 1-of-1 DVN relies on a single validator to confirm cross-chain messages. If that validator or its node credentials are compromised, a forged message can be accepted without cross-checks. LayerZero’s OFT standard makes tokens operate across chains quickly, while Chainlink’s CCIP uses multiple signers and additional oracle security assumptions to reduce the risk of a single point of failure.

KelpDAO said the migration is intended to protect users’ assets and that work to move rsETH to CCIP is underway.