LayerZero Blames Kelp’s Single DVN for $290M rsETH Hack

On Saturday attackers withdrew about 116,500 Restaked ETH (rsETH), worth roughly $292–293 million, from Kelp DAO’s LayerZero-powered rsETH bridge. The stolen tokens were used as collateral to borrow liquidity on Aave, producing about $195 million in bad debt.

LayerZero reported that the root cause was a single-verifier configuration on Kelp’s decentralized verifier network (DVN). The company said Kelp relied on a single LayerZero Labs DVN as the only verified path for cross-chain messages despite prior recommendations to use multiple independent verifiers.

After the bridge withdrawal, the exploiter moved funds into Aave and opened borrowing positions. Aave halted all rsETH positions on Aave v3 and v4 to stop further damage. Aave’s smart contracts were not exploited, but protocol liquidity was affected; the platform’s total value locked fell by about $8.9 billion to $17.5 billion at the time of reporting.

LayerZero and other analysts have flagged preliminary signs of involvement by threat actors linked to North Korea, and blockchain investigators are tracing fund flows and addresses. No coordinated recovery or compensation plan has been announced by Kelp DAO, LayerZero or Aave.

Community members and protocol operators have proposed different remedies. Yishi Wang, founder and CEO of OneKey, suggested negotiating with the exploiter and offering a 10–15% bounty, with fallback funding from LayerZero’s ecosystem fund if talks fail. The pseudonymous analyst 0xngmi outlined options including sharing losses across users, penalizing rsETH holders on L2s, or attempting a pre-hack snapshot restoration and noted the technical difficulty of the latter.

Market observers warned that the exploit reduced Ether liquidity on Aave and raised liquidation risks. MoneySupply, head of strategy at lending protocol Spark, wrote that current illiquidity could prevent liquidations if markets reach full utilization and that a 15–20% drop in ETHUSD could cause additional bad debt beyond the rsETH incident.

In response to the incident, LayerZero urged all applications using a 1/1 DVN setup to migrate to multi-DVN configurations and said it will stop signing or attesting messages for apps that retain a single verifier. The company described the problem as an unsafe application configuration rather than a compromise of LayerZero’s infrastructure.

A decentralized verifier network (DVN) is a set of independent verifiers that confirm cross-chain messages. A 1/1 DVN uses a single verification path, while multi-DVN setups require messages to pass multiple independent checks before assets can move. rsETH represents staked, restaked Ether used for yield and as collateral on lending platforms.

Investigations into the exploit, attacker identities and potential recovery options are ongoing. Protocol operators and community stakeholders are evaluating technical fixes, governance measures and financial remedies while monitoring for further market impact.