News linked to both this project and an event.
Aave has published a post-mortem of the April 18 rsETH incident, stating that the rsETH LayerZero V2 cross-chain bridge of liquid staking protocol Kelp accepted a forged message during a cross-chain transfer from Unichain to Ethereum. This caused the adapter on the Ethereum side to release 116,500 rsETH without a corresponding burn on the Unichain side. Aave stated that the attack occurred on a third-party cross-chain bridge infrastructure. However, the attacker deposited the stolen rsETH into 8 Aave V3 positions, borrowing 82,650 WETH and 821 wstETH, which impacted the Aave market.Aave stated that the attacker's rsETH on Arbitrum has now been burned. The LayerZero OFT adapter has replenished 116,131.72 rsETH in 5 batches, and the asset backing for rsETH has been fully restored. The affected WETH and rsETH markets have returned to normal.
Robinhood has listed AERO, QNT, and ZRO.
LayerZero Labs has released a recent incident report stating that on April 18, 2026, the KelpDAO rsETH cross-chain bridge, built on its cross-chain communication protocol, suffered an attack resulting in the theft of approximately 116,500 rsETH (around $292 million). Multiple security organizations, including Mandiant, CrowdStrike, and independent researchers, have attributed this attack to the North Korea-linked hacker group TraderTraitor (UNC4899).According to the report, the attack began on March 6, 2026. The attackers compromised a LayerZero developer account through social engineering, obtained session keys, and penetrated the RPC cloud environment. They further contaminated internal RPC node data and manipulated the returned results to deceive monitoring systems and the Decentralized Verification Network (DVN). Subsequently, the attackers launched a denial-of-service attack against external RPC providers, forcing the verification system to rely on the compromised nodes to generate forged cross-chain proofs, thereby successfully extracting the funds.LayerZero pointed out that the core vulnerability of this incident lay in the affected application adopting a "single-verifier" configuration. This allowed the target contract to execute asset releases upon receiving only a single valid signature, leading to the theft of rsETH.Following the incident, LayerZero Labs announced an adjustment to security policies. This includes no longer allowing its own DVN to act as the sole signer in a single-verifier configuration, rebuilding the affected cloud infrastructure, and introducing short-term credentials, instant permission upgrades, and multi-party approval mechanisms to enhance security. Additionally, zeroShadow and law enforcement agencies have initiated investigations and asset tracing. LayerZero stated it will continue to collaborate with ecosystem partners to strengthen the cross-chain security framework to address increasingly sophisticated nation-state attack threats.
Aave announced that the first batch of rsETH has been transferred to LayerZero’s OFT adapter, and cross-chain transfers of rsETH between the Ethereum mainnet and various L2 networks have now resumed. This development means that the rsETH cross-chain channels previously affected have been restored, covering operations across the Ethereum mainnet and L2 networks.
following the Kelp security incident, Tether's asset interoperability protocol USDT0 has disclosed details of its protocol security architecture. It stated that the system currently utilizes a proprietary DVN (Decentralized Verification Network) with message veto authority, and requires 3 independent validators, operating on different codebases, to reach a 3/3 consensus before cross-chain messages can be settled. The current verification nodes include the USDT0 proprietary DVN, LayerZero, and Canary, with future plans to expand to 4/4 and 5/5 verification mechanisms.USDT0 also stated that all multi-signature transactions must undergo multiple reviews by internal teams, external security teams, and auditing firms before signatures are submitted. The relevant contracts have been audited by firms such as Guardian and OpenZeppelin, and a $6 million bug bounty program has been launched on Immunefi.
LayerZero Labs posted on platform X, stating that the internal RPC used by LayerZero Labs had been attacked by the Lazarus Group over the past three weeks, compromising the true source of its DVN (Decentralized Verifier Network). Meanwhile, external RPC providers experienced DDoS attacks. The incident affected 0.14% of applications and approximately 0.36% of asset value. LayerZero Labs stated that assets are currently secure, and over $9 billion in funds have been bridged through the protocol since April 19.In response to the security risk, LayerZero Labs has ceased providing services for its DVN in a 1/1 configuration. Default configurations for all pathways will migrate to a multi-DVN model of at least 3/3 or 5/5 signatures. Additionally, regarding an incident from three years ago where a multi-sig holder mistakenly used a hardware wallet for personal transactions, LayerZero Labs has removed that signer and replaced the wallet, while developing a custom OneSig multi-sig system. LayerZero Labs advises developers to lock configurations to avoid reliance on default settings and plans to launch an asset management platform, Console, to enhance security monitoring.
According to The Block, the Arbitrum DAO voted to release 30,765.6 ETH (approximately $70 million), previously frozen, to support the DeFi United initiative—aimed at offsetting Kelp DAO’s $292 million exploit loss last month. The vote passed with 90.96% support (182.2 million votes). The attack was allegedly carried out by the North Korean Lazarus hacking group, which exploited a vulnerability in LayerZero’s OFT cross-chain bridge—a single-validator configuration—which allowed attackers to steal 116,500 rsETH and pledge most of the stolen assets as collateral on Aave, resulting in roughly $190 million in bad debt. DeFi United has secured contributions from multiple parties, including 30,000 ETH from Consensys and Joseph Lubin, a 30,000-ETH loan from Mantle, and 5,000 ETH from LayerZero.
Solv Protocol has announced the migration of over $700 million in tokenized Bitcoin assets to Chainlink's cross-chain protocol CCIP, and will gradually phase out LayerZero's bridging support across multiple chains. The migration involves core assets such as SolvBTC and xSolvBTC. Solv stated that the decision is based on the latest security reviews and recent cross-chain security incidents, and CCIP will become its standard cross-chain infrastructure. This move follows Kelp DAO's migration of approximately $290 million in assets to Chainlink, further strengthening the trend of "cross-chain infrastructure shifting toward security-first migration." (CoinDesk)
LayerZero Labs co-founder and CEO Bryan Pellegrino has responded to the KelpDAO-related controversy on the X platform, stating that most of the recent accusations surrounding KelpDAO are "completely untrue." He noted that Kelp initially adopted the default MultiDVN or DeadDVN configuration, but on-chain records show it was manually changed to a 1/1 configuration on April 1, 2024. The official documentation has repeatedly recommended using a 2/3 configuration for production environments.Bryan Pellegrino stated that the DeadDVN mechanism would reject transaction paths that have not been properly configured with DVN, preventing applications from running directly with default parameters. He also mentioned that the LayerZero team had previously provided clear configuration recommendations to KelpDAO. At the same time, he revealed that a comprehensive analysis report will be released after confirmation is completed by an external security firm.
According to monitoring by on-chain analyst Specter, the Wasabi Protocol attacker has deposited all stolen funds into Tornado Cash, moving approximately $5.9 million into Tornado Cash. Additionally, North Korean hacking groups have also used Tornado Cash to launder stolen funds from KelpDAO and LayerZero. Their process involved first cross-chaining the assets to Bitcoin, then routing them through Wasabi Mixer, extracting and cross-chaining back to Ethereum, depositing into Tornado Cash, subsequently withdrawing to new wallets and dispersing across multiple addresses. The new wallets then deployed tokens, used the stolen funds to buy in, removed liquidity from the deployment wallet, cross-chained to Tron (USDT), held for several hours or days, and finally sent to OTC-related wallets.
According to official announcements, Aave Labs, KelpDAO, LayerZero, EtherFi, Compound, and others have submitted an Arbitrum Constitutional AIP proposing the release of 30,765.67 ETH—previously frozen by the Arbitrum Security Council—to the recovery address 0xf228...C15e for compensation and restoration of assets related to the rsETH incident. The proposal states that the KelpDAO rsETH cross-chain incident created a support shortfall of approximately 76,127 rsETH, and the released funds will be incorporated into the coordinated recovery process. The proposal requires no additional treasury funding and estimates the governance process will take approximately 49 days. Currently, the proposal has a 100% voting approval rate, and voting will end at 2:54 AM Beijing Time on May 8.
According to the latest data from the omnichain stablecoin USDT0, its user base is primarily retail: approximately 99.2% of holders have wallet balances under $1,000, only about 1,200 addresses hold between $100,000 and $1 million, and just 35 addresses hold over $10 million.The report notes that the main use case for USDT0 is small-value cross-chain transfers, with active users primarily engaged in daily transactions rather than large fund flows. However, in terms of transaction volume, single transfers exceeding $1 million still account for approximately 68.8% of the total transfer volume.USDT0 was launched by Everdawn Labs and is supported by LayerZero and Tether, pegged 1:1 to USDT. It has currently expanded to 23 chains, with a total transaction volume of $86.7 billion, becoming the third-largest holder of USDT, trailing only Binance and OKX. (The Block)
Blockworks has announced the completion of a Series A extension funding round, achieving a post-money valuation of $192 million. The round was co-led by ParaFi Capital and Reciprocal Ventures, with support from Coinbase Ventures, MoonPay Ventures, and several other institutions and industry participants. The funding also attracted investments from over 20 founders and operators of ecosystem projects including Solana, LayerZero, Arbitrum, and Kraken, though the specific amount raised has not been disclosed.The company stated that while the crypto market has grown to a trillion-dollar scale lacking traditional capital market infrastructure, it still faces issues such as fragmented data, inconsistent disclosure standards, and a lack of investor communication mechanisms. Blockworks aims to fill this gap through a "data + disclosure + investor relations" tripartite architecture. (CNBC)
LayerZero Labs announced on platform X that it has committed over 10,000 ETH in support to DeFi United, led by Aave. Specific actions include donating 5,000 ETH to DeFi United, depositing 5,000 ETH into the Aave market to enhance liquidity, and deepening GHO liquidity.
Circle Ventures, Consensys, and Joseph Lubin have announced their support for the DeFi United initiative, aimed at mitigating losses caused by the Kelp DAO vulnerability. Circle Ventures is supporting the ecosystem by purchasing AAVE tokens. Consensys and Ethereum co-founder Joseph Lubin have confirmed the provision of 30,000 ETH to DeFi United. To date, DeFi United has raised over 132,000 ETH, with a total value exceeding $300 million. These funds will be used to cover bad debts resulting from an attacker minting unbacked rsETH via the LayerZero bridge and borrowing assets on Aave. Previously, Aave proposed a donation of 25,000 ETH, while Lido DAO, Ether.fi, and Kelp have respectively proposed or pledged donations of 2,500 ETH, 5,000 ETH, and 2,000 ETH.
Aave announced that its ecosystem partners and service providers will establish a recovery fund to promote the full asset backing of rsETH. This plan has comprehensively considered the pending Aave DAO governance votes (including the Arbitrum governance vote), indicative protocols, and subsequent successful execution. Aave stated that it has reached an agreement with KelpDAO and LayerZero on the technical steps required to execute the recovery plan, and related work is progressing. Addressing the issues of affected users and maintaining the stability of the broader DeFi ecosystem are the current top priorities. The final recovery plan, user action steps, and further updates will be announced in the near future.
Ethena officially announced that the LayerZero cross-chain bridge functionality for sUSDe and USDe has been fully restored across all chains. To enhance security, Ethena has upgraded the Decentralized Verification Network (DVN) configuration on each chain from 2/2 to 4/4, while maintaining the existing rate limit of $10 million per hour. The official team stated that further updates will be provided as needed.
ether.fi announced on X that the weETH cross-chain bridge powered by LayerZero is now fully restored across all chains, with liquidity minting and redemption functionalities re-enabled. For security, the ether team has increased the number of DVNs (Decentralized Verification Nodes) from two to four and implemented stricter rate-limiting mechanisms to further enhance system security. Additionally, related services will be gradually restored under the guidance of security partners, with more updates to follow.
According to an official Dune disclosure, following the KelpDAO hack, Dune conducted a security configuration analysis of LayerZero’s DVN (Decentralized Verification Network) for nearly 90 days of active OApps. The data shows that among approximately 2,665 distinct OApp contracts, 47% adopted the 1-of-1 DVN security threshold—the lowest level—45% adopted 2-of-2, and roughly 5% adopted 3-of-3 or higher configurations; KelpDAO’s rsETH resides at the 1-of-1 tier, the minimum security level.
Aave risk service provider LlamaRisk has released an incident report: On April 18, 2026, the attacker exploited a vulnerability in Kelp’s LayerZero V2 Unichain-to-Ethereum rsETH routing (a 1-of-1 DVN configuration flaw), forged inbound packets, and illicitly released 116,500 rsETH from the Ethereum-side adapter. Of these, 89,567 rsETH were deposited as collateral into multiple Aave V3 markets—including Ethereum Core and Arbitrum—enabling the borrowing of approximately 82,650 WETH (valued at ~$191 million) and 821 wstETH. Currently, only 40,373 rsETH remain in the adapter, while the total claimable rsETH on the remote chain stands at 152,577—creating a substantial shortfall. Depending on the loss allocation methodology, Aave faces two potential bad-debt scenarios: - Scenario 1 (global pro-rata allocation): Estimated bad debt of ~$123.7 million, with Ethereum Core bearing the greatest pressure; - Scenario 2 (loss confined to L2s): Estimated bad debt of ~$230.1 million, with Mantle facing a WETH reserve shortfall of up to 71.45% and Arbitrum facing a 26.67% shortfall. Following the incident, Aave Protocol Guardians and Risk Administrators immediately froze rsETH/wrsETH reserves across all 11 affected markets.