Kelp DAO Suffers $292 Million Loss in LayerZero Exploit Linked to Lazarus Group

Kelp DAO Suffers $292 Million Loss in LayerZero Exploit Linked to Lazarus Group

First seen 6 May 2026, 04:11 UTC Theblock.CoBitgetnews.bitcoin.comMexcCryptonews+15 85% similarity 77.0

Article Content

Browse articles
ThreatCluster

Kelp DAO experienced a significant security breach on April 16, 2026, resulting in the loss of $292 million due to an exploit in the LayerZero ecosystem. Attackers, believed to be associated with North Korea's Lazarus Group, targeted a vulnerability in LayerZero's infrastructure, specifically exploiting a single-validator setup. The hackers withdrew 116,500 rsETH by compromising two RPC servers in the LayerZero Labs validator network and executing a DDoS attack to redirect operations to fake nodes. Following the incident, Kelp DAO announced its transition from LayerZero to Chainlink's cross-chain infrastructure to enhance security. LayerZero's bug bounty program does not cover application-side misconfigurations, raising questions about its security practices. Nearly 47% of LayerZero applications were found to use the same vulnerable 1-of-1 validator configuration, putting $4.5 billion in assets at risk. The incident has prompted a broader examination of security standards in decentralized finance (DeFi).

Key Points: • Kelp DAO lost $292 million in an exploit linked to North Korea's Lazarus Group. • The attack exploited a single-validator configuration in LayerZero's infrastructure. • Kelp DAO is migrating to Chainlink's cross-chain infrastructure for improved security.

ThreatCluster AI

Timeline

2026-04-16
Kelp DAO exploit occurs
Hackers withdrew 116,500 rsETH, leading to a loss of $292 million due to a vulnerability in LayerZero's infrastructure.
Bitget
2026-04-18
LayerZero criticized for security setup
LayerZero claimed it warned against single-verifier configurations, which Kelp DAO used and was the default recommendation.
Theblock.Co
2026-05-05
Kelp DAO announces migration to Chainlink
Kelp DAO decided to switch to Chainlink's cross-chain infrastructure following the exploit to enhance security.
Theblock.Co
2026-05-06
Dune Analytics report released
A report revealed that nearly 50% of LayerZero applications use the lowest security configuration, raising concerns about vulnerabilities.
news.bitcoin.com

Community

Browse all →