KelpDAO blames LayerZero as $294 mln hack: ‘Kelp’s own systems were not involved’

Facing the biggest hack of 2026, KelpDao—a liquid staking protocol—has now blamed LayerZero [ZRO] as the main culprit behind the $294 million attack.

For context, the latter is a cross-chain messaging layer that acts as a bridge for Kelp.

On the 21st of April, KelpDAO took to X and highlighted that two remote procedure call (RPC) nodes hosted by LayerZero fell prey to the hackers eyes.

For those unaware, RPC nodes are servers that facilitate reading blockchain data and submitting transactions to various networks.

At the same time, the third RPC node was attacked with a DDoS (Distributed Denial-of-Service) attack. Simply put, the third RPC was clogged with extreme traffic, which in turn resulted in distorted functioning of the node. 

Remarking on the same, Kelp added, 

This was an attack on LayerZero’s infrastructure. Kelp’s own systems were not involved in building or operating that infrastructure.

Steps taken by KelpDAO

As additional steps, Kelp has now even frozen all associated contracts on Layer 2 and the Ethereum [ETH] Mainnet. Moreover, the protocol has blocked all wallets associated with the wrongdoer and has implemented SEAL 911.

The latter operates as a 24/7 cost-free hotline, connecting individuals in the midst of security threats with expert security professionals. 

Kelp also reported a second attempt made by the exploiter, who tried to drain an additional 40,000 rsETH worth $95 million in funds using illusive tricks.

However, the hacker was unable to do so because the system had already been secured in time. 

Reason behind KelpDAO’s frutsration

That being said, Kelp implied that they didn’t choose a risky setup on their own. Instead, they relied on what LayerZero recommended since 2024.

The most important one being the 1-of-1 DVN (Decentralized Verifier Network) setup that verifies cross-chain messages on LayerZero had certain loopholes.

Kelp noted that a 1-of-1 setup is less secure because it creates a single point of failure. If compromised, malicious actors get a way through, and that’s what happened. 

As a way forward, Kelp further added, 

We are concurrently assessing the potential next steps regarding protocol unpausing, impact assessment, and the way forward, and working with Aave, LZ, and all other key stakeholders.

Arbitrum and Aave’s precautionary measures

This comes on the back of the Arbitrum [ARB] Security Council freezing 30,766 ETH worth $71 million being tied to the KelpDAO exploit.

Additionally, the Aave [AAVE] Protocol, too, prevented itself from the target’s eyes by freezing rsETH/wrsETH markets. The protocol even went ahead and constrained WETH activity and lowered borrowing rates across multiple networks.

Aave further penned, 

Aave’s smart contracts were not compromised at any point during this event. All protocol logic, including supply, repayment, and liquidation mechanisms, continued to function as designed.

Yet, the exploit did result in Aave facing a bad debt estimated between $177 million and $290 million. However, despite such allegations, ZRO remained unaffected as it was trading at $1.63 after a hike of 5.57% in the past 24 hours.

Final Summary

• KelpDAO blamed LayerZero’s RPC nodes and 1-of-1 DVN, which led to the protocol getting hacked.
• Arbitrum and Aave both took their precautionary steps to avoid further damages.