$292M rsETH Hack Breakdown: How KelpDAO’s Risky Setup Triggered 2026’s Biggest DeFi Exploit
RSETH
Key Highlights
- KelpDAO exploit leads to ~$292M in rsETH stolen, one of the largest DeFi hacks of 2026.
- The attack shows signs of being linked to North Korea’s Lazarus Group, specifically TraderTraitor.
- No smart contract bug — attackers manipulated RPC nodes to trick LayerZero’s verification system.
- The breach was possible due to a high-risk 1-of-1 DVN setup, allowing a single compromised verifier to approve transactions.
- Stolen funds were deposited into Aave, resulting in $200M+ bad debt and market panic.
The crypto market was shaken after a massive exploit drained nearly $292 million worth of rsETH — a token issued by KelpDAO.
Surprisingly, no smart contracts were hacked. Instead, the attacker exploited a weak configuration in the cross-chain system powered by LayerZero.
Key Players Involved
- KelpDAO: A restaking protocol that lets users earn yield on ETH through rsETH
- LayerZero: A cross-chain bridge that moves assets between blockchains
- DVN (Decentralized Verifier Network): The system that verifies whether cross-chain messages are valid
- Aave: A major DeFi lending platform where rsETH was accepted as collateral
What Happened? (Simple Breakdown & LayerZero Statement)
The exploit didn’t involve breaking smart contracts — instead, it targeted the backend verification layer.
The attacker compromised key RPC servers used by LayerZero’s verifier network and disrupted the legitimate ones, allowing manipulated data to be processed. They then sent a fake cross-chain message claiming rsETH had been burned on another chain, triggering a release on Ethereum.
Because KelpDAO used a 1-of-1 DVN setup, the system relied on a single verifier — which approved the request. This resulted in 116,500 rsETH being minted and transferred to the attacker.
The attacker later used these tokens on Aave as collateral to borrow real ETH, leaving the protocol exposed to significant bad debt. This event also triggered massive capital outflows, as detailed in our Aave TVL collapse analysis following the KelpDAO exploit.
According to LayerZero’s official statement, the issue was not due to a flaw in its protocol, but rather KelpDAO’s configuration. The team noted that the incident was isolated to the single-verifier setup, preventing broader impact across other integrations.
Additionally, based on LayerZero’s report, preliminary indicators suggest the attack may be linked to a highly sophisticated state actor, likely DPRK’s Lazarus Group, specifically the subgroup known as TraderTraitor.
Why This Only Affected KelpDAO
LayerZero allows projects to customize their security — known as modular security.
- Most protocols use multi-verifier setups (2-of-3 or 3-of-5)
- This ensures one compromised verifier cannot approve fake transactions
However, KelpDAO used a 1-of-1 setup, meaning:
- Only one approval was required
- No backup validation existed
This decision ultimately made the exploit possible.
Impact on Aave
The damage extended beyond KelpDAO.
Because the attacker used fake rsETH on Aave:
- Aave froze rsETH-related markets
- The protocol now faces $200M+ in bad debt
- Panic withdrawals triggered sharp liquidity outflows
- The AAVE token dropped significantly
What’s Next?
This incident highlights several major risks:
- Collateral Risk: Over-reliance on external or bridged assets
- Systemic Risk: Issues in one protocol can impact others
- Security Trade-offs: Flexibility can introduce vulnerabilities
While both KelpDAO and LayerZero are working on fixes, rebuilding trust will take time.
Bottom Line
This is the largest DeFi exploit of 2026 so far, and it wasn’t caused by broken code — but by a risky security choice.
It serves as a strong reminder: In crypto, configuration matters as much as code
As DeFi grows more interconnected, even a single weak link can trigger widespread consequences.
Frequently Asked Questions (FAQ)
What caused the $290M rsETH hack?
The exploit was caused by a compromised verifier setup (1-of-1 DVN) and manipulated RPC nodes — not a smart contract bug.
Was LayerZero hacked?
No, LayerZero confirmed its protocol worked as designed. The issue was due to KelpDAO’s configuration.
How did Aave get affected?
The attacker used fake rsETH as collateral on Aave, creating over $200M in bad debt.
What is DVN in LayerZero?
DVN (Decentralized Verifier Network) is the system that verifies cross-chain messages before funds are moved.
Can this happen again?
It’s less likely if projects use multi-verifier setups, which provide stronger security.
Disclaimer: The views and analysis presented in this article are for informational purposes only and reflect the author’s perspective, not financial advice. Technical patterns and indicators discussed are subject to market volatility and may or may not yield the anticipated results. Investors are advised to exercise caution, conduct independent research, and make decisions aligned with their individual risk tolerance.
