KelpDAO's rsETH OFT (LayerZero v2) was configured with a 1-of-1 DVN setup using only the LayerZero Labs DVN as the verifier between source and destination endpoints. The OFT contract itself was structurally sound; the exploit hit the off-chain verification layer. Attackers (attributed by multiple firms to Lazarus Group) compromised two RPC nodes that the LayerZero Labs DVN relied on to read source-chain state, then induced the DVN to attest to inbound packet hashes corresponding to mints that never occurred on the origin chain. Because the OApp accepted any payload signed by the single configured DVN, the destination `_lzReceive` minted 116,500 rsETH against fabricated source events. The root cause is configuration plus infrastructure compromise, not contract logic — LayerZero later acknowledged the 1-of-1 default was a mistake; ~47% of active LayerZero OApps used the same posture.
Classification: Infrastructure. Technique: LayerZero OFT bridge exploit. Target type: DeFi Protocol. Affected chains: Ethereum, Arbitrum. Implementation language: Solidity.
- chain
- multichain
- protocol
- Kelp
- bug_class
- bridge
- date_occurred
- 2026-04-18
- loss_usd
- $293,000,000
- classification
- Infrastructure
- technique
- LayerZero OFT bridge exploit
- target_type
- DeFi Protocol
- language
- Solidity
- source_id
- dl:3946