A major crypto hack has left the DeFi space trying to piece together what really went wrong. What started as a $290 million exploit at KelpDAO has now turned into a deeper investigation, with LayerZero pointing to one key decision that may have made the attack possible.
The issue traces back to KelpDAO’s rsETH token, a version of ether designed to earn yield and move across different blockchains. To make that possible, the protocol relied on LayerZero infrastructure, which enables assets to travel between chains.
That setup is common in DeFi, but it also introduces risk. Moving assets across chains depends on systems that confirm whether a transaction really happened. In this case, that confirmation process became the weak point.
Early analysis suggested that an attacker found a way to mint large amounts of rsETH without properly backing it with real assets. Once those tokens existed, they were quickly used as collateral on lending platforms like Aave. From there, the attacker borrowed real assets and drained liquidity before anyone could react.
That's when the problem spread beyond Kelp itself. Aave and similar platforms were left holding collateral that may not hold its value, while users rushed to withdraw funds, triggering fears of a wider liquidity crisis.
David Adubiina
The turning point: LayerZero responds
As the dust began to settle, LayerZero stepped in with a much clearer explanation of what went wrong. And this is where the story shifts from a technical failure to a question of responsibility.
According to LayerZero, the issue wasn’t a flaw in its protocol, but a decision made by KelpDAO. "This incident was isolated entirely to KelpDAO's rsETH configuration as a direct consequence of their single-DVN setup,” the company explained in a statement.
The protocol had been running what’s known as a single-verifier setup, meaning only one entity was responsible for confirming cross-chain transactions.
LayerZero says it had already warned against this. In its view, a stronger setup would have required multiple independent verifiers to agree before any transaction was approved.
How the attack played out
The details of the attack show just how coordinated it was. According to LayerZero, attackers compromised key infrastructure points known as RPC nodes, which help systems read and write blockchain data.
Instead of breaking everything at once, the attackers did something more subtle. They altered the behavior of a few nodes so that they reported false information to the verification system, while still appearing normal to everyone else.
At the same time, they launched a distributed denial-of-service attack to knock other nodes offline. That forced the system to rely on the compromised ones.
Once that happened, the verifier accepted a fake transaction as real. That single moment allowed the attacker to mint over 100,000 rsETH and begin draining value from the system.
As investigators dug deeper, attention turned to who might be behind it. LayerZero said the attack bears the hallmarks of the Lazarus Group, a group long linked to some of the biggest crypto hacks in recent years. The group has previously been tied to incidents like the Ronin Network hack and the Harmony Horizon Bridge hack, where hundreds of millions of dollars were stolen.
How the blame shifted to KelpDAO
At this point, the conversation changed. It was no longer just about how the hack happened, but why the system was vulnerable in the first place.
LayerZero’s position is clear. The protocol worked as designed, and the weakness came from how KelpDAO chose to implement it. By relying on a single verifier, the system created a single point of failure.
That decision is now at the center of the blame. It raises difficult questions about how much responsibility falls on the tools being used versus the teams configuring them.
KelpDAO hasn’t fully responded to these claims, which leaves a gap in the story. But in the absence of that response, the narrative is being shaped by those explaining the technical details.
Looking at the full timeline, the story becomes clearer. A design decision created a weak point. Attackers found it and exploited it in a highly coordinated way.
Kelechi Edeh
