Back to Home

KelpDAO Attack: How $293M Was Stolen Through a Single Node

Hackers Stole $293M from KelpDAO by Exploiting the Fact That the Project Used Only One LayerZero Validator Node. The Attack Included Server Compromise, DDoS, and Data Spoofing. The LayerZero Protocol Itself Was Not Hacked — the Issue Stemmed from User Configuration.

How Hackers Deceived KelpDAO and Stole $293M

Predict

Signal based on this article

Signal8/10
Directiondown
Magnitude5-12%
Timeframe1-3d
Confidencemedium

Drivers

The $293M exploit on KelpDAO’s rsETH bridge caused immediate depegging risk and forced liquidations across Aave. The mechanism is loss of confidence in restaked assets’ redeemability, triggering sell pressure and collateral unwinding. Key risk: if KelpDAO compensates users or proves solvency, price could rebound quickly.

View all predictions for this date

Analytical signal only. Not financial advice.

Advertisement 728x90

How Hackers Stole $293M from KelpDAO: The Attack Exploiting a Single Weak Node

Hackers stole nearly $300 million by exploiting the fact that KelpDAO entrusted its entire security to a single technical node. This was not a breach of the LayerZero protocol itself — but rather a misconfiguration by one of its users. Yet the consequences rippled across the DeFi ecosystem: investors rushed to withdraw funds, and the market once again questioned how trustworthy cross-chain bridges really are.

Why One Node Is Like One Door to a Bank

Imagine building a safe for your money. Instead of installing three locks from different manufacturers, you install just one — and hand the key to your neighbor. If your neighbor is compromised or makes a mistake, your safe gets opened. That’s exactly how KelpDAO’s security system worked.

The LayerZero protocol enables different blockchains to “talk” to each other — for example, transferring tokens from Ethereum to Solana. To do this, it relies on so-called “verifier nodes.” Ideally, there should be multiple, independent verifiers distributed across separate servers. If one lies, the others override it.

Google AdInline article slot

But KelpDAO used only one such verifier — the one provided directly by LayerZero. This violated the fundamental principle of “don’t put all your eggs in one basket.” And hackers seized that opportunity.

How the Attack Unfolded: Lies, DDoS, and Vanishing Traces

The investigation revealed that the attackers operated like professional spies:

  • First, they gained access to the list of servers (RPC nodes) LayerZero uses for communication.
  • Then, they compromised two independent servers hosted on different providers and deployed malicious software on them.
  • Next, those servers began sending the system a forged message: “Here’s the token transfer,” even though no actual transfer had occurred.
  • To ensure the system would route requests exclusively to these servers, the hackers launched a DDoS attack against all other nodes — flooding them with fake requests and triggering overload.
  • The system automatically failed over to the “quiet” and “responsive” compromised servers — and accepted their lie as truth.
  • Finally, the attackers erased everything: logs, configurations, and the malicious code itself. No traces remained.

As a result, the hackers acquired 116,500 rsETH tokens (Restaked ETH) — a kind of “enhanced” version of ETH used in restaking systems. They then deposited these tokens as collateral on Aave V3 and borrowed wETH. Aave accepted the collateral as legitimate, even though the underlying asset had already been stolen. This created unbacked debt — and triggered panic among users.

Google AdInline article slot

North Korea? Possibly — But No Evidence Yet

The LayerZero team stated the attack was likely carried out by the Lazarus Group — a well-known hacker organization based in North Korea. Its subunit, TraderTraitor, specializes in cryptocurrency theft. However, analysts emphasize: there is no direct evidence linking Lazarus to this incident. The attribution is based solely on attack patterns and obfuscation techniques.

Crucially: even if Lazarus was involved, the vulnerability did not stem from LayerZero’s code — but from KelpDAO’s configuration. The protocol itself was never hacked; it was simply misused.

Key Takeaways

  • KelpDAO relied on only one verifier node, violating a foundational DeFi security principle.
  • Hackers executed a multi-stage attack: server compromise + DDoS + data spoofing + trace elimination.
  • 116,500 rsETH were stolen, equivalent to ~$293 million at market price.
  • The attack did not affect other LayerZero projects — the issue was local, yet it triggered systemic fear.
  • LayerZero has since recovered, but trust in cross-chain bridges remains temporarily shaken.

What This Means for Everyday Users

If you hold funds in DeFi protocols — especially new or lesser-known ones — it’s worth checking: how decentralized is their security model? Do they use multiple independent verification sources? Most major platforms now do this correctly — but not all.

Google AdInline article slot

Moreover, attacks like this remind us: even when the underlying technology works flawlessly, human error — in configuration, parameter selection, or operational judgment — can still break everything. The crypto market is maturing — but risks persist, especially where teams rush to deploy new features without rigorously validating fundamentals.

— Editorial Team

Advertisement 728x90

Read Next

Partner News