The LayerZero protocol stated that the vulnerability arose due to incorrect configuration of the verification network in Kelp. According to them, this allowed attackers to steal about $290 million from Kelp DAO. Preliminary suspicions point to hackers linked to North Korea.
As a result of the attack, the perpetrator withdrew about 116,500 restaked ETH (rsETH) worth up to $293 million at the time of the incident. The funds were stolen through the rsETH bridge operating on LayerZero on Saturday.
On Monday, LayerZero reported that the cause was a single critical failure in Kelp‘s configuration. The project used only one DVN as the sole verification channel, despite recommendations to distribute verification across multiple nodes.
“LayerZero and other participants previously recommended that KelpDAO diversify DVN. Despite this, KelpDAO chose a 1/1 DVN configuration.”
Essentially, Kelp relied on a single cross-network message verification channel instead of using multiple independent verification layers.
After the hack, attention quickly shifted from technical reasons to the main question of who will cover the losses. The situation also affected Aave, where the attacker used rsETH as collateral to borrow real funds.
Against this backdrop, Aave‘s TVL dropped by about $8.9 billion to $17.5 billion at the time of writing. The hacker borrowed liquidity against the stolen assets, resulting in about $195 million in “bad debt,” which triggered a wave of withdrawals from the protocol.
LayerZero stated that the rsETH bridge in Kelp operated only through a single DVN from LayerZero Labs. According to them, the problem was not with the LayerZero network itself, but with the insecure application configuration.
See also: How Mastercard Plans to Process Card Payments Through Stablecoins
The company is already urging all projects with a 1/1 DVN configuration to switch to a multi-DVN model. LayerZero also plans to stop confirming transactions for applications that continue to use a single verification channel.
After the $290 Million Hack, Disputes Began Over Who Will Cover the Losses
Since neither a compensation plan nor refunds have been announced, users and market participants have begun to argue over who should bear the losses. Options mentioned include Kelp DAO, LayerZero, Aave or the holders of rsETH themselves.
The founder and CEO of hardware wallet OneKey Ishi Wang believes the best option is to negotiate with the hacker. He suggested offering a reward of 10–15% and returning most of the funds.
“If negotiations fail, the main losses should be covered by the LayerZero ecosystem fund. It has the most resources and long-term interest,” he wrote on X, adding that Kelp DAO is currently “broke” and can compensate losses with tokens or future revenues, or even consider selling the project.
The founder of analytics platform DeFiLlama under the nickname 0xngmi suggested three possible scenarios. These include distributing the losses among all users, writing off losses to rsETH holders in L2 or trying to roll back balances to their pre-hack state, which he said would be extremely difficult to implement.
The Exploit Increased Liquidation Risks on Aave
After the Kelp hack, investors began actively withdrawing liquidity from Aave, significantly reducing the available volume of ETH, the protocol’s main collateral asset.
This created a serious risk for the system. According to the head of strategy at the Spark protocol, known as MoneySupply, with the current liquidity shortage, liquidations may simply not work if the market is loaded at 100%.
“In the current conditions on Aave, a 15–20% drop in the price of ETH could lead to the accumulation of significant bad debt, in addition to problems related to the rsETH exploit itself,” he noted.
In response, Aave promptly froze all rsETH in versions v3 and V4 to stop further risks. At the same time, the protocol’s own smart contracts were not hacked.
