- KelpDAO links $300M exploit to LayerZero infrastructure, citing compromised RPC nodes and DVN verification flaws.
- Dispute centers on responsibility, with KelpDAO blaming defaults while LayerZero cites configuration choices.
- Attack triggered DeFi disruptions as stolen rsETH moved into lending protocols, forcing market pauses.
KelpDAO and LayerZero Labs entered a dispute after a reported $300 million exploit linked to LayerZero infrastructure on April 18, 2026. KelpDAO said attackers triggered fraudulent transactions across DeFi protocols using compromised LayerZero DVN systems. The incident also included blocked $100 million transactions after KelpDAO paused contracts during the event window.
Exploit Timeline And Reported Losses
The attack targeted the LayerZero Labs infrastructure, according to KelpDAO and independent researchers. Notably, attackers accessed offchain systems tied to RPC nodes used by the DVN verification layer.
Chainalysis reported that attackers used manipulated data rather than smart contract flaws. This process tricked a 1 of 1 DVN setup into approving invalid transactions.
However, KelpDAO said it stopped further losses by pausing contracts shortly after detection. The team also blocked two additional forged transactions totaling over $100 million.
Meanwhile, researchers linked about 116,500 rsETH in losses to the exploit activity. Downstream lending protocols later absorbed collateralized assets from the stolen funds.
Dispute Over DVN Configuration Responsibility
KelpDAO challenged LayerZero’s claim that its configuration caused the failure. According to KelpDAO, the 1-1 DVN setup was widely used across LayerZero integrations.
The team cited public data showing thousands of OApp contracts using similar verification structures. It also said around 90 percent of LayerZero messages relied on one or two DVNs.
Additionally, KelpDAO stated that LayerZero documentation pointed developers toward default configurations. These included setups using LayerZero Labs as the required DVN without optional redundancy.
LayerZero, however, attributed the incident to KelpDAO’s configuration choice in its postmortem report. The company also described the attack as a targeted infrastructure breach involving RPC compromise.
Infrastructure Claims And Market Impact
According to KelpDAO, attackers accessed RPC endpoint lists and compromised internal nodes. These nodes operated across separate clusters within LayerZero’s verification system.
Independent researchers stated that the attack involved infrastructure compromise inside LayerZero’s trust boundary. They also noted that default deployments lacked multi-provider consensus controls in some cases.
Meanwhile, LayerZero reported that DVN instances themselves were not fully compromised. It described the event as an RPC-spoofing attack following node-level breaches.
The incident affected broader DeFi markets as stolen rsETH moved into lending protocols. Several platforms paused markets linked to rsETH and related assets during liquidity stress.
