Kelp DAO Suffers $292 Million Loss in LayerZero Exploit Linked to Lazarus Group

Severity: High (Score: 77.0)

Sources: layerzero.network, www.openzeppelin.com, Thedefiant, Coinspot, News.Bitcoin

Summary

Kelp DAO experienced a significant security breach on April 16, 2026, resulting in the loss of $292 million due to an exploit in the LayerZero ecosystem. Attackers, believed to be associated with North Korea's Lazarus Group, targeted a vulnerability in LayerZero's infrastructure, specifically exploiting a single-validator setup. The hackers withdrew 116,500 rsETH by compromising two RPC servers in the LayerZero Labs validator network and executing a DDoS attack to redirect operations to fake nodes. Following the incident, Kelp DAO announced its transition from LayerZero to Chainlink's cross-chain infrastructure to enhance security. LayerZero's bug bounty program does not cover application-side misconfigurations, raising questions about its security practices. Nearly 47% of LayerZero applications were found to use the same vulnerable 1-of-1 validator configuration, putting $4.5 billion in assets at risk. The incident has prompted a broader examination of security standards in decentralized finance (DeFi). Key Points: • Kelp DAO lost $292 million in an exploit linked to North Korea's Lazarus Group. • The attack exploited a single-validator configuration in LayerZero's infrastructure. • Kelp DAO is migrating to Chainlink's cross-chain infrastructure for improved security.

Key Entities

• Lazarus Group (apt_group)
• Data Breach (attack_type)
• DDoS (attack_type)
• Malware (attack_type)
• Kelp DAO (company)
• KelpDAO (company)
• Ethereum (company)
• LayerZero (platform)
• Chainlink (platform)
• North Korea (country)
• T1021 - Remote Services (mitre_attack)
• T1210 - Exploitation Of Remote Services (mitre_attack)
• T1499 - Endpoint Denial of Service (mitre_attack)