On April 18, the KelpDAO suffered a hack resulting in the loss of $290 million, known as the hack du restaking Kelp 290M dollars. This attack targeted KelpDAO’s restaking token, rsETH. As a direct consequence, the price of rsETH plummeted by 21.6% to $1,916 within just 24 hours.
The attack employed compromised RPC endpoints combined with a distributed denial-of-service (DDoS) component to influence the routing behavior of LayerZero DVNs, directing them toward unverified RPC endpoints. DVNs are independent entities charged with verifying the integrity of cross-chain messages. By forcing DVNs to query or accept responses from RPC endpoints that were not verified, the attacker altered the message validation surface presented to applications that relied on DVN attestation. This routing manipulation relied on both the availability disruption from DDoS and the substitution of legitimate RPCs with compromised counterparts.
LayerZero stated that applications configured with multiple DVNs can resume normal activity and that LayerZero Labs will no longer sign messages originating from applications using a single 1/1 DVN configuration. The technical vulnerability created by rerouting DVNs to unverified RPCs was the vector used in the incident that targeted KelpDAO’s restaking token rsETH. Following the incident, rsETH experienced a depeg event, with its price falling 21.6% to $1,916 within 24 hours. KelpDAO had not posted on its X profile since the announcement of the incident.
LayerZero Labs announced it will no longer sign messages originating from applications configured with a single 1/1 DVN setup, and the company stated that applications configured with multiple DVNs can resume normal activity. Aave reportedly froze trading markets for the restaking token rsETH following the incident. KelpDAO has not posted on its X profile since announcing the hack, and its official X account shows no further communications on the matter. Reporting named the Lazarus hacking group, described as a North Korean entity, as the suspected author of the attack. These actions and attributions were reported in the aftermath of the incident and reflect the responses and identifications reported by third parties.
The incident produced a depeg of KelpDAO’s restaking token rsETH and exposed a technical attack method that used compromised RPC endpoints and a DDoS component to redirect LayerZero DVNs toward unverified RPCs, affecting cross-chain message validation.
LayerZero’s change to stop signing messages from applications using 1/1 DVN configurations, Aave’s reported freeze of rsETH markets, and the absence of communications from KelpDAO are factual responses and manifestations of the security challenges facing multi-chain DeFi solutions, particularly the integrity of cross-chain message verification and the robustness of multi-DVN operational configurations.
