How 292 M$ were stolen from KelpDAO without touching a smart contract?

$292 million stolen without touching a single smart contract. On April 18, 2026, the liquid restaking protocol KelpDAO was drained via its LayerZero bridge — not due to a Solidity bug, but because a single verifier was sufficient to approve cross-chain messages, and the attacker poisoned the RPC nodes that verifier consulted. In 46 minutes, Kelp paused the protocol, preventing another $200 million in losses. But the damage was done: Aave faces up to $230 million in bad debt, DeFi TVL dropped 25% in hours, and researchers point to the same group that drained Drift Protocol 17 days prior — North Korea's Lazarus Group. $575 million from DeFi in 18 days, using two completely distinct vectors.

This article breaks down the mechanics of the exploit, why LayerZero's default configuration was a ticking time bomb, who pays the bill, and what it means for anyone with funds in protocols using cross-chain bridges.

How was $292 million stolen without exploiting a smart contract?

At 17:35 UTC on April 18, the attacker called lzReceive on LayerZero's EndpointV2 contract, instructing Kelp's OFTAdapter on Ethereum to release 116,500 rsETH — approximately 18% of the token's circulating supply. No corresponding burn occurred on the source chain (Unichain). The attacker fabricated a false cross-chain message that the bridge accepted as legitimate.

How? They didn't break cryptography or find a bug in the code. They poisoned the infrastructure:

1. Obtained the list of RPC endpoints that LayerZero's Decentralized Verifier Network (DVN) consulted to read Unichain's state.
2. Replaced the binaries of two independent nodes with modified versions that returned false data to the DVN — but responded correctly to monitoring systems.
3. Launched a DDoS attack against backup endpoints to force the DVN to use the poisoned nodes.
4. The malware self-destructed after the attack to remove forensic traces.

The condition that made it possible: Kelp used a 1-of-1 configuration on its bridge — a single verifier was sufficient to approve any cross-chain message. No redundancy, no second check. A single point of failure for $292 million.

Was 46 minutes enough to prevent another $200 million in losses?

Kelp's emergency multisig executed pauseAll at 18:21 UTC — 46 minutes after the drain. At 18:26 and 18:28, the attacker attempted two additional transactions to drain another 40,000 rsETH each (~$100 million per attempt). Both reverted because the protocol was already paused.

Had the pause come 10 minutes later, the total theft would have reached $391 million.

What the attacker did with the funds

Within minutes, 89,567 of the 116,500 stolen rsETH were deposited as collateral in Aave V3/V4 across seven wallets. Against that collateral, the attacker borrowed 82,650 WETH ($190.9 million) and 821 wstETH ($2.3 million). Some estimates raise the total borrowed to 126,000 WETH ($236 million) by including other protocols. The borrowed WETH was funneled through Tornado Cash — the same mixer that had funded the attacker's wallet with 1 ETH ten hours before the theft.

Who pays the $230 million bad debt bill?

The direct theft of $292 million is only part of the damage. Because the attacker converted stolen rsETH into real assets borrowed on lending protocols, several platforms face unrecoverable debt:

Aave's contracts were not compromised — founder Stani Kulechov confirmed the vector was entirely external. But the protocol suffered over $5.4 billion in withdrawals within hours, pushing WETH, USDT, and USDC pools to 100% utilization. Depositors were trapped. The same pattern we saw with USR-Morpho in March — when collateral breaks, pool liquidity evaporates, and lenders cannot exit.

The AAVE token fell between 10% and 18%. DeFi TVL plummeted from ~$110 billion to ~$82.4 billion — a 25% drawdown reflecting risk aversion, not just direct losses.

The only significant recovery: on April 21, the Arbitrum Security Council froze 30,766 ETH (~$71 million) in an intermediary wallet, acting on information from law enforcement. This represents 24% of the stolen funds.

Whose fault is it — LayerZero or KelpDAO?

The public dispute between the two matters because it determines whether ~47% of applications integrated with LayerZero need to reconfigure immediately.

LayerZero says: Kelp "chose" the single-verifier configuration. The exploit was a direct consequence of that decision. From now on, LayerZero refuses to sign messages for applications still in a 1-of-1 configuration.

Kelp responds: The 1-of-1 configuration was LayerZero's documented default. Despite having an open direct communication channel since July 2024, they were never specifically warned to change it.

Independent developers corroborated Kelp's version: LayerZero V2's default configuration file (layerzero.config.ts) ships with a 1-required / 0-optional setup. And the compromised DVN was LayerZero Labs' own infrastructure, not a third-party verifier.

The honest reading: both share responsibility. LayerZero created insecure defaults that made dangerous configurations trivial, and a protocol safeguarding billions should have hardened beyond defaults. The incident reveals that bridge configuration review is a different security discipline from smart contract audits — and one that most protocols have treated as a checkbox.

$575 million in 18 days — what is the Lazarus Group doing?

Researchers — including the Chainalysis team and ZachXBT — preliminarily attribute the attack to the TraderTraitor subunit of North Korea's Lazarus Group. This is the same group linked to:

$575 million from DeFi in 18 days with two structurally different vectors. This is not a script kiddie repeating the same trick — it's a sophisticated campaign that identifies the seams between systems (bridges, governance, oracles) where code audits don't reach.

Chainalysis summarized it: "Detecting malicious code is not enough; protocols must detect when a system enters an impossible state."

What does this mean for restaking and cross-chain bridges?

There is no structural contagion to the broader LST/LRT sector. stETH, wstETH, rETH, and cbETH are unaffected. rsETH deposits on Ethereum mainnet are still backed by legitimate positions on EigenLayer.

But rsETH bridged to other chains faces a severe parity crisis: holders cannot know if their tokens are backed, because the attacker injected 116,500 uncollateralized units into the circulating supply. Kelp has not published a loss allocation plan.

The precautionary response was immediate: Lido paused earnETH, Ethena paused its LayerZero bridges for 6 hours (no exposure to rsETH), and over 20 protocols — Ether.fi, Curve, Morpho, Kamino, Lombard, Beefy, Maple, Mantle among others — temporarily paused their LayerZero bridges. SparkLend and Fluid froze rsETH markets.

What should any DeFi user check now?

1. Do you hold bridged tokens? Any token that crossed a bridge (rsETH, but also wETH, bridged USDC, etc.) inherits the risk of the bridge's configuration, not just the token's contract. A wrapped token on an L2 can have a fundamentally different risk profile than the native token on its source chain.
2. Do you use rsETH as collateral? If you have positions on Aave, Compound, or Euler with rsETH, your Health Factor now depends on an asset whose backing is in dispute. Monitor actively.
3. Do your protocols use LayerZero bridges? Verify if the application uses a 1-of-1 or multisig configuration. ~47% of LayerZero applications were in a vulnerable configuration before the attack.
4. Diversify bridge risk. Do not concentrate cross-chain exposure on a single bridge provider. The base of your fragility pyramid should not depend on a single point of failure.

The Kelp exploit is the first nine-figure hack whose root cause is entirely outside Solidity — in the operational security of off-chain infrastructure feeding a bridge verifier. For five years, the industry hardened smart contracts with audits, formal verification, and bug bounties. Attackers have moved upstream, to infrastructure layers where those defenses don't apply. Default configuration is not secure configuration at scale — and that lesson just cost $292 million.