KelpDAO to Move rsETH Bridging From LayerZero to Chainlink CCIP After April Exploit

KelpDAO is moving rsETH bridging away from LayerZero to Chainlink CCIP after publicly disputing LayerZero’s explanation for the April exploit that released 116,500 rsETH, a rupture that has turned one of the year’s largest cross-chain losses into a fight over accountability. The shift, reported by CoinTelegraph, The Defiant and Cryptopolitan based on Kelp’s public memo and posts on X, marks a concrete break between the liquid restaking protocol and the cross-chain messaging provider it had relied on.

The exploit happened on April 18 at 17:35 UTC, when a forged cross-chain packet was delivered on KelpDAO’s LayerZero V2 Unichain-to-Ethereum rsETH route. According to Aave governance’s April 20 incident report, the Ethereum-side rsETH OFT adapter released tokens without a corresponding burn on the originating chain. The attacker removed 116,500 rsETH, worth roughly $290 million to $294 million depending on the price snapshot used.

The losses quickly spread beyond KelpDAO because rsETH, a liquid restaked Ether token, is widely used as collateral in decentralized finance lending markets. Aave’s incident report said 89,567 rsETH from the stolen amount was supplied as collateral across Aave V3 markets. In response, Aave’s Guardian froze rsETH and wrsETH markets across several deployments and later also froze WETH on multiple markets as part of containment. KelpDAO’s own emergency response included freezing the recipient address and pausing the OFT adapter. The Aave and LlamaRisk incident report said Kelp’s emergency multisig acted about 46 minutes after the drain, and that move blocked at least one later forged inbound transfer, causing a packet for about 40,373 rsETH to revert.

LayerZero said the exploit was not caused by a bug in its smart contracts, but by compromised infrastructure tied to the route’s verification setup. In its public incident statement, LayerZero said compromised remote procedure call, or RPC, nodes used by the LayerZero Labs Decentralized Verifier Network, combined with distributed denial-of-service attacks on clean nodes, allowed a forged message to be attested and accepted. LayerZero and related technical writeups said the route used a 1-of-1 DVN configuration, meaning a single verifier could authorize the release of funds. “This incident was isolated entirely to KelpDAO’s rsETH configuration as a direct consequence of their single-DVN setup,” LayerZero said. In its post-mortem, LayerZero also preliminarily attributed the attack to the North Korea-linked Lazarus or TraderTraitor group.

KelpDAO later rejected that framing, according to CoinTelegraph, The Defiant and Cryptopolitan, which cited Kelp’s public memo and X posts. Those reports said Kelp argued that LayerZero had approved or not objected to the verifier configuration during integration and that the underlying compromise occurred within LayerZero infrastructure, not in Kelp’s own contracts. Around May 5, the same outlets reported that Kelp announced it would migrate rsETH bridging from LayerZero OFT to Chainlink CCIP and the CCT standard, though that should be understood as a reported company decision rather than independently verified technical completion of the switch.

That leaves the central question unresolved: whether the failure was primarily an application-level security choice by KelpDAO or an infrastructure breakdown inside LayerZero’s verification stack. What is already clear is the operational fallout. Contracts were frozen, a major DeFi collateral asset became a systemwide risk, and KelpDAO is now seeking a different cross-chain provider. For protocols that depend on bridged assets as lending collateral, the episode is a reminder that a bridge exploit does not stay confined to one route for long.