A major security breach at KelpDAO has triggered a 10% market correction, as LayerZero issues a stark warning about concentrated risk in cross-chain protocols. The $290 million rsETH exploit, now detailed by LayerZero and Aave, reveals the incident stemmed not from protocol failure but from KelpDAO's decision to operate with a single-DVN configuration—shifting the narrative from widespread contagion risk to critical questions about application-specific security design in the crypto ecosystem.

LayerZero Links KelpDAO Crypto Exploit To RPC Attack

In an incident statement from April 20, LayerZero said the April 18 attack targeted KelpDAO’s rsETH setup and was “isolated entirely to KelpDAO’s rsETH configuration as a direct consequence of their single-DVN setup.” The company added that it had conducted “a comprehensive review of active integrations” and could confirm “with confidence that there is zero contagion to any other asset or application.”

LayerZero framed the episode as a state-linked crypto infrastructure attack rather than a protocol exploit. According to the statement, “preliminary indicators suggest attribution to a highly-sophisticated state actor, likely DPRK’s Lazarus Group, more specifically TraderTraitor.”

It said the attack did not compromise the protocol, key management, or the DVN instances directly. Instead, the attacker allegedly poisoned downstream RPC infrastructure used by the LayerZero Labs DVN, swapped binaries on compromised op-geth nodes, and then used DDoS pressure on uncompromised RPCs to force failover toward the poisoned infrastructure.

That sequence is central to LayerZero’s argument. “Because of our least-privilege principles, they were unable to compromise the actual DVN instances,” the company wrote. “However, they used this pivot point to execute an RPC-spoofing attack.

Their malicious node used a custom payload designed explicitly to forge a message to the DVN with minimal warnings.” LayerZero said the manipulated node presented false data only to the DVN while returning truthful responses to other IPs, including its own monitoring infrastructure, in what it described as a deliberately stealthy effort to avoid detection.

Even so, LayerZero argues the exploit should have been stopped at the application layer had rsETH not relied on a 1-of-1 verifier setup. “The affected application was rsETH, issued by KelpDAO,” the statement said. “Their OApp configuration at the time of this incident relied on a 1-of-1 DVN setup, with LayerZero Labs as the sole verifier — a configuration that directly contradicts the multi-DVN redundancy model that LayerZero has consistently recommended to all integration partners.”

It added that “a properly hardened configuration would have required consensus across multiple independent DVNs, rendering this attack ineffective even in the event of any single DVN being compromised.”

The company said its DVN is live again, that affected RPC nodes have been deprecated and replaced, and that it will no longer sign or attest messages for applications using a 1/1 configuration. It also said it is working with law enforcement and industry partners, including Seal911, to track funds.

Aave said in an X update on late The protocol said its analysis shows “rsETH on Ethereum mainnet is fully backed,” but added that “out of an abundance of caution, rsETH remains frozen across Aave V3 and V4 and exposure to the incident is capped.” WETH reserves also remain frozen across the affected markets on Ethereum, Arbitrum, Base, Mantle, and Linea while the team continues to validate information and assess possible resolutions.

At press time, the total crypto market cap stood at $2.5 trillion.