KelpDAO Moves rsETH From LayerZero After $300M Exploit

Van Thanh Le

•

May 6 2026

1 hour ago3 minutes read

Futuristic cross-chain migration operation

Cross-chain security dispute widens after April bridge attack

TL;DR

KelpDAO is moving rsETH bridging from LayerZero to Chainlink CCIP after an April 18 exploit.
The attack drained more than 116,000 rsETH and was tied to a $300 million loss.
KelpDAO blamed LayerZero infrastructure, while Ethena pointed to low-quorum verification design risk.

We’ve launched the all-new COIN360 Perp DEX, built for traders who move fast!

Trade 130+ assets with up to 100× leverage, enjoy instant order placement and low-slippage swaps, and earn USDC passive yield while climbing the leaderboard. Your trades deserve more than speed — they deserve mastery.

Start Trading on COIN360 Today!

KelpDAO is shifting rsETH away from LayerZero’s OFT framework and toward Chainlink CCIP after a $300 million exploit on April 18, 2026, drained more than 116,000 rsETH from KelpDAO’s bridge and sparked a dispute over whether the incident stemmed from LayerZero infrastructure failure or weak cross-chain verification design.

KelpDAO rejected LayerZero’s reported post-mortem framing that the incident was a “KelpDAO configuration issue.” LayerZero’s position pointed to KelpDAO’s use of a 1-of-1 Decentralized Verifier Network setup, where LayerZero Labs acted as the sole validator. KelpDAO argued that the setup was not unusual and instead reflected a widely used default across the LayerZero ecosystem.

After the recent LayerZero exploit, we are taking steps to ensure rsETH is fully secure, which is why we are migrating to @chainlink CCIP.

From the April 18 incident, it is clear that LayerZero's own infrastructure was exploited, resulting in $300M in losses across DeFi.… https://t.co/beIrfZZLlh
— Kelp (@KelpDAO) May 5, 2026

KelpDAO Says LayerZero Defaults Were Widely Used

KelpDAO cited analysis showing that 47% of LayerZero OApp contracts, representing more than 1,200 applications, used the same 1-of-1 DVN “security floor.” KelpDAO also said LayerZero’s own OFT quickstart guide and default templates recommended the 1-of-1 configuration with LayerZero Labs as the sole required DVN, making the setup part of the ecosystem’s standard integration path rather than a bespoke decision by KelpDAO.

KelpDAO said the configuration had been previously approved and documented. It said Telegram screenshots showed LayerZero team members assuring KelpDAO that “defaults were fine” during eight separate integration discussions over two years. KelpDAO said, “The simple truth: LayerZero blamed their users for an issue that was caused by their own infrastructure failure.”

KelpDAO said LayerZero admitted attackers obtained the list of RPCs used by its DVN, and that two independent nodes were compromised and binaries were swapped. KelpDAO also said LayerZero’s decision to ban 1-of-1 configurations after the loss showed the setup carried broader systemic risk.

Metric	Detail
Exploit date	April 18, 2026
Reported loss	$300 million
Asset drained	More than 116,000 rsETH
Additional forged transactions blocked	$100 million
LayerZero OApp contracts using same setup	47%
Applications using the same security floor	More than 1,200
Compromised nodes	Two independent nodes
Integration discussions cited by KelpDAO	Eight discussions over two years

KelpDAO said LayerZero’s post-mortem did not explain why LayerZero’s monitoring systems failed to detect the hack, leaving KelpDAO to flag the issue itself. KelpDAO said it blocked additional forged transactions by pausing contracts after fraudulent minting and asset releases had already occurred.

KelpDAO cited independent reviews that found critical vulnerabilities present at the time of the attack, including default deployment exposure through public gateways lacking common protections such as WAF or IP allowlists. KelpDAO also cited a Chainalysis review that found LayerZero had set a low 1-of-1 RPC quorum default, meaning one poisoned node could allow the DVN to sign a forged message without cross-checking against other nodes.

Ethena Points to Verification Design Risk

Ethena framed the exploit as a failure of verification design. Ethena said the attack combined a 1-of-1 DVN configuration with compromised RPC infrastructure, allowing forged cross-chain messages to be validated and executed.

Ethena said low-quorum setups create critical single points of failure. Ethena also said its own architecture avoided similar exposure by requiring higher verification thresholds and by using safeguards including rate limits and restricted bridge routes.

Ethena said it paused its LayerZero bridges within hours of detecting anomalies. Ethena also said its USDe stablecoin remained fully backed and unaffected.

KelpDAO said it is migrating rsETH to Chainlink CCIP and the Cross-Chain Token standard. KelpDAO said, “Our number-one priority remains the security of our users’ assets,” citing Chainlink’s seven-year track record and decentralized oracle network as reasons for the move.

FAQ

What asset was affected?

rsETH was drained from KelpDAO’s bridge.

What is KelpDAO changing?

KelpDAO is moving rsETH bridging to Chainlink CCIP.

What did Ethena say caused the risk?

Ethena pointed to low-quorum verification and compromised RPC infrastructure.

Was USDe affected?

Ethena said USDe remained fully backed and unaffected.

This article has been refined and enhanced by ChatGPT.