The decentralized finance ecosystem suffered one of its most devastating blows in 2025 on April 10, when Kelp DAO lost approximately $290 million worth of rsETH in a sophisticated attack attributed to the North Korean Lazarus Group. The exploit targeted LayerZero’s cross-chain infrastructure through a multi-stage assault on the protocol’s Decentralized Verification Network, exposing critical vulnerabilities in validator security configurations that many DeFi platforms had overlooked.
The Exploit Mechanics
The attackers executed a carefully orchestrated multi-phase campaign against LayerZero’s DVN infrastructure. Rather than targeting a smart contract vulnerability, the Lazarus Group operatives focused their efforts on the Remote Procedure Call node layer — the foundational infrastructure responsible for validating cross-chain messages. First, they compromised two independent RPC nodes, replacing their legitimate software with malicious binaries specifically engineered to intercept and manipulate transaction data. Once the compromised nodes were operational, the attackers launched a massive distributed denial-of-service attack against the remaining legitimate nodes, flooding them with traffic until they became unresponsive. This dual-pronged approach effectively forced the entire validation system to route all requests through the now-compromised malicious nodes, creating the perfect conditions for authorizing fraudulent cross-chain transactions that drained rsETH from Kelp DAO’s contracts.
Affected Systems
The attack had catastrophic consequences specifically for Kelp DAO and its liquid staking operations. Approximately $290 million worth of rsETH — Kelp’s liquid staking token representing staked Ethereum across multiple protocols — was siphoned from the DAO’s contracts. The sudden massive sell pressure on decentralized exchanges triggered significant price volatility for rsETH, sending shockwaves through the broader liquid staking ecosystem. LayerZero’s post-mortem revealed a critical detail: the protocol had recommended that Kelp DAO employ a multi-DVN setup using multiple independent validators for message verification. However, Kelp DAO maintained only a single-validator structure for its rsETH operations, creating a single point of failure that the attackers expertly exploited. LayerZero emphasized that no other assets or applications on its network were affected by this incident, as the vulnerability was specific to Kelp DAO’s application-level configuration.
The Mitigation Strategy
In the aftermath of the exploit, LayerZero issued urgent security advisories to all protocols utilizing its cross-chain infrastructure. The primary recommendation centered on implementing multi-DVN configurations that distribute validation across multiple independent entities, eliminating single points of failure. The protocol also recommended enhanced monitoring of RPC node behavior, including anomaly detection systems capable of identifying unusual traffic patterns or unexpected software modifications. For Kelp DAO specifically, emergency measures included pausing all cross-chain rsETH transfers, coordinating with major decentralized exchanges to flag and freeze exploited funds, and engaging blockchain forensics firms to trace the movement of stolen assets. The broader DeFi community responded by conducting urgent security audits of their own validator configurations, with several prominent protocols proactively upgrading to multi-DVN setups even before receiving direct recommendations.
Lessons Learned
The Kelp DAO exploit serves as a stark reminder that infrastructure-level security is just as critical as smart contract auditing. The attack pattern mirrors previous high-profile bridge hacks — the $625 million Ronin Bridge exploit in 2022 and the $326 million Wormhole exploit — where attackers targeted validator infrastructure rather than contract code. Key takeaways include the absolute necessity of multi-validator configurations for any protocol handling significant value, the importance of real-time monitoring for DDoS attacks against validation nodes, and the growing sophistication of state-sponsored hacking groups like Lazarus. Bitcoin was trading at approximately $79,626 and Ethereum at $1,522 at the time of the attack, meaning the $290 million loss represented a substantial hit to the DeFi ecosystem’s total value locked.
User Action Required
Users who held rsETH or interacted with Kelp DAO’s liquid staking products should immediately check their wallet balances and transaction history. Those affected should follow Kelp DAO’s official communication channels for updates on recovery efforts and potential compensation plans. All DeFi users should review the security configurations of protocols they interact with, specifically checking whether platforms employ multi-validator setups for cross-chain operations. Consider diversifying liquid staking positions across multiple providers to minimize exposure to single-protocol failures. Enable transaction simulation tools before approving any cross-chain transfers, and maintain awareness that infrastructure-level attacks are becoming the primary threat vector in DeFi.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
compromising RPC nodes instead of smart contracts is a terrifying escalation. lazarus keeps adapting and the defense side is always 3 steps behind
290M and it barely made mainstream news. if a traditional bank lost that much it would be front page for a week
the DDoS on remaining legit nodes while the malicious ones were active is the real masterstroke here. they essentially created a controlled information environment
had a small rsETH position. pulled everything out of liquid staking protocols within an hour of seeing this. trust in the infra layer is completely broken for me rn
Kristina M. pulling everything out of liquid staking because of an RPC attack is exactly the overreaction that causes the next cascade. the staking was fine, the cross-chain layer failed
pulling everything out of liquid staking is the wrong takeaway. the issue was LayerZero DVN config, not the staking primitive itself. rsETH got hit because cross-chain validation failed, not because liquid staking is broken
deadzone is right that staking itself wasnt the issue. cross-chain validation was the weak link. but users dont distinguish between the two when deciding where to park funds
Lazarus compromising RPC nodes while everyone was watching smart contracts is the definition of asymmetric warfare. $290M and the attack vector was infrastructure 101
multi-stage RPC compromise plus DDoS on legit nodes is nation-state level ops. no DeFi protocol can defend against that alone
Lazarus targeting RPC nodes instead of smart contracts shows they adapt faster than security teams. $290M gone and the vulnerability was at the infrastructure layer nobody was watching
the defense side isnt 3 steps behind, they just dont have nation-state backing. lazarus has essentially unlimited resources
Lazarus has been doing this since 2017 and the defense playbook has barely changed. individual protocols cant match state-level opsec