Kelp DAO rsETH Bridge Hack Tied to Lazarus; LayerZero Freezes

LayerZero said the Kelp DAO exploit was likely executed by North Korea’s Lazarus Group, specifically its TraderTraitor unit, after a bridge drain of 116,500 rsETH (about $292M). LayerZero described how the attacker obtained the DVN RPC node list, poisoned two nodes to validate a forged cross-chain message, then DDoS’d remaining nodes so the system relied on the compromised validators. The core issue was Kelp DAO’s single 1/1 DVN design with no backup verifier (a single point of failure). LayerZero said it will stop signing messages for apps using this 1/1 DVN configuration, noting early indicators point to a highly sophisticated state actor. On the trading side, the stolen rsETH was moved into Aave V3 as collateral and used to borrow large amounts of WETH, raising bad-debt concerns. Aave froze rsETH markets on both V3 and V4 and disabled rsETH borrowing. Data cited in the report showed Aave outflows exceeding $10B and supplied funds dropping to about $35.7B from $45.8B. DeFiLlama also reported DeFi TVL down ~7% in 24 hours to around $86.3B. Several LayerZero OFT bridges paused interactions as a precaution, including Ethena, ether.fi, Tron DAO, and Curve Finance. LayerZero stressed “zero contagion” for apps using multi-DVN setups, while law enforcement continues tracing funds. For traders, the key watchpoints are liquidity stress and risk premia around WETH/rsETH, plus cross-chain exposure tied to single-verifier DVN designs in LayerZero-linked systems.