Kelp DAO issued a statement on Monday downplaying its direct responsibility for the $292 million exploit that took place over the weekend.
On April 18, the LayerZero-powered cross-chain bridge Kelp DAO lost 116,500 rsETH tokens valued at around $292 million, making it the largest DeFi exploit so far this year.
LayerZero reported on Sunday that the attacker, likely North Korea's Lazarus Group, gained access to the list of RPC nodes used by LayerZero Labs' decentralized verified network (DVN). The attacker then poisoned two RPC nodes and launched a DDoS attack to make the DVN accept a fake cross-chain message, leading it to sign an illegitimate transaction.
In its report, LayerZero criticized Kelp DAO's 1-of-1 DVN configuration, noting that it created a single point of failure by lacking the independent verification necessary to catch the fraudulent cross-chain message.
"LayerZero and other external parties previously communicated best practices around DVN diversification to Kelp DAO," the report said. "Despite these recommendations, Kelp DAO chose to utilize a 1/1 DVN configuration."
Kelp DAO's latest statement responded to LayerZero's accusation, shifting responsibility for the 1-of-1 DVN setup to LayerZero.
"The 1-of-1 DVN setup is the configuration documented in LayerZero's documentation and shipped as the default for any new OFT deployment," Kelp wrote in its statement on X. "Kelp has operated on LayerZero infrastructure since January 2024 and has maintained an open communication channel with the LayerZero team throughout."
Kelp added that the topic of DVN configuration came up during its expansion to L2, and the default setup was "affirmatively confirmed as appropriate" at the time.
"Establishing a shared and accurate account of what happened is the foundation for making the right fixes together," Kelp said.
The cross-chain bridge also said that its initial response — including pausing relevant contracts and blacklisting wallets tied to the attacker — helped contain the situation. It added that it is assessing next steps to resume the protocol.
Meanwhile, the attack's impact quickly spread to the Aave protocol, as the exploiter deposited a significant portion of the stolen assets into Aave V3. The attacker used rsETH as collateral to borrow substantial amounts of WETH, raising the risk of bad debt on the protocol.
Aave's latest incident report said that the attacker supplied 89,567 rsETH (worth around $221 million) as collateral and borrowed 82,650 WETH and 821 wstETH, leaving the positions at very low health factors.
The protocol has outlined two hypothetical bad debt scenarios based on available data, considering that Kelp has not officially announced a loss allocation or recovery plan.
The first scenario details a uniform socialization of losses, assuming that around 112,204 rsETH dilutes the supply across all chains equally. This would result in a 15.12% depeg and lead to roughly $123.7 million in bad debt for Aave.
"Ethereum Core absorbs the largest absolute loss ($91.8M), but its WETH reserve is deep enough that the shortfall remains at 1.54%," Aave wrote. "Mantle, with the smallest WETH reserve relative to its rsETH exposure, suffers a 9.54% shortfall, the highest proportional impact in this scenario."
The second scenario assumes that losses are isolated to L2 rsETH, leaving Ethereum mainnet rsETH fully backed. In this case, a 73.54% haircut would be imposed on L2 collateral. This would lead to higher bad debt of $230.1 million across L2 markets such as Mantle, Arbitrum, and Base's WETH markets.
In the first scenario, Aave's WETH Umbrella, holding $54 million, could serve as an initial backstop. The umbrella would not be triggered under the second scenario.
"Which scenario materializes depends on decisions outside Aave’s control, primarily how rsETH accounting and the LRTOracle exchange rate are updated," Aave said.
Furthermore, Aave said the Aave DAO maintains a strong balance sheet with $181 million in assets, and that it has received several commitments from ecosystem participants to support the protocol in the event of bad debt.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2026 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
