News linked to both this project and an event.
Odaily, Mitchell Amador, CEO of bug bounty platform Immunefi, stated at the WAIB Summit that new AI models such as Claude Opus 4.8 and ChatGPT 5.5 are shifting the balance of cybersecurity offense and defense in favor of attackers, leading to a resurgence in crypto hacks in 2026. Data from DefiLlama shows that in April 2026, illicit actors stole over $634 million from crypto platforms, the highest monthly total since the Bybit hack in February 2025 drove losses of approximately $1.4 billion.Amador stated that the crypto industry is in a critical survival period for the next three to four years until security teams leverage similar AI models to build codebases that attackers cannot breach; if the industry adopts more crowd-sourced security solutions, this timeline could be shortened to within two years. The latest Claude Mythos model, Fable 5, from AI company Anthropic, previously raised concerns about accelerating the ability to exploit crypto vulnerabilities.Anthropic stated that Fable 5 has safeguards in place that will redirect topics related to cybersecurity and similar fields to Claude Opus 4.8. On April 19, an attacker transferred approximately 116,500 restaked Ethereum (rsETH) from Kelp DAO's LayerZero-based rsETH bridge, valued at around $290 million to $293 million at the time. Cross-chain protocol LayerZero stated that the 1/1 decentralized verification network configuration of Kelp DAO relied on a single verification path for processing cross-chain messages, creating a single point of failure. (Cointelegraph)
in April this year, KelpDAO's LayerZero bridge was exploited in a $292 million vulnerability attack, triggering an $8.45 billion deposit run on Aave within 48 hours, marking the largest capital outflow event in decentralized finance (DeFi) history. Aave founder Stani Kulechov stated that the design of Aave V3 withstood the market test, demonstrating the network's "resilience." However, independent data indicates that Aave's survival primarily relied on $300 million in emergency rescue, including a 25,000 ETH guarantee from the Aave DAO and a personal injection of 5,000 ETH (approximately $8.4 million) by Kulechov.Kulechov attributed the vulnerability to third-party infrastructure rather than core smart contracts. However, analysts pointed out that this incident exposed deficiencies in Aave's risk architecture and insurance mechanisms, leading the platform to incur significant bad debt (approximately $123.7 million in wETH). To prevent future bridge failures from triggering systemic bank runs, Aave V4 will adopt a modular "hub-and-spoke" architecture, enabling local risk auto-adjustment and collateral freezing. (CoinDesk)
Aave has published a post-mortem of the April 18 rsETH incident, stating that the rsETH LayerZero V2 cross-chain bridge of liquid staking protocol Kelp accepted a forged message during a cross-chain transfer from Unichain to Ethereum. This caused the adapter on the Ethereum side to release 116,500 rsETH without a corresponding burn on the Unichain side. Aave stated that the attack occurred on a third-party cross-chain bridge infrastructure. However, the attacker deposited the stolen rsETH into 8 Aave V3 positions, borrowing 82,650 WETH and 821 wstETH, which impacted the Aave market.Aave stated that the attacker's rsETH on Arbitrum has now been burned. The LayerZero OFT adapter has replenished 116,131.72 rsETH in 5 batches, and the asset backing for rsETH has been fully restored. The affected WETH and rsETH markets have returned to normal.
LayerZero Labs has released a recent incident report stating that on April 18, 2026, the KelpDAO rsETH cross-chain bridge, built on its cross-chain communication protocol, suffered an attack resulting in the theft of approximately 116,500 rsETH (around $292 million). Multiple security organizations, including Mandiant, CrowdStrike, and independent researchers, have attributed this attack to the North Korea-linked hacker group TraderTraitor (UNC4899).According to the report, the attack began on March 6, 2026. The attackers compromised a LayerZero developer account through social engineering, obtained session keys, and penetrated the RPC cloud environment. They further contaminated internal RPC node data and manipulated the returned results to deceive monitoring systems and the Decentralized Verification Network (DVN). Subsequently, the attackers launched a denial-of-service attack against external RPC providers, forcing the verification system to rely on the compromised nodes to generate forged cross-chain proofs, thereby successfully extracting the funds.LayerZero pointed out that the core vulnerability of this incident lay in the affected application adopting a "single-verifier" configuration. This allowed the target contract to execute asset releases upon receiving only a single valid signature, leading to the theft of rsETH.Following the incident, LayerZero Labs announced an adjustment to security policies. This includes no longer allowing its own DVN to act as the sole signer in a single-verifier configuration, rebuilding the affected cloud infrastructure, and introducing short-term credentials, instant permission upgrades, and multi-party approval mechanisms to enhance security. Additionally, zeroShadow and law enforcement agencies have initiated investigations and asset tracing. LayerZero stated it will continue to collaborate with ecosystem partners to strengthen the cross-chain security framework to address increasingly sophisticated nation-state attack threats.
: On-chain analyst Tom Wan stated on platform X that the current ETH utilization rate has dropped below 90%, and the lending APY has fallen to 1.9%. Since the rsETH LayerZero cross-chain bridge was attacked, the deposits of wstETH and weETH have decreased by approximately $1.2 billion and $1.76 billion, respectively. As the strategy of leveraged looping wstETH/weETH against ETH becomes profitable again, market attention is turning to whether demand for ETH leveraged loops will return, or if capital will continue to wait on the sidelines or flow into protocols like Spark and Morpho.
following the $292 million exploit of Kelp DAO's LayerZero bridge, the security of cross-chain infrastructure has once again come under scrutiny. DeFi protocols Kelp DAO, Solv Protocol, Re, and crypto exchange Kraken have all taken similar migration measures, with the total value of this outflow reaching approximately $4 billion.Decentralized finance protocol Lombard has become the latest project to join the migration wave, announcing a gradual phase-out of LayerZero and the migration of over $1 billion in Bitcoin collateral assets to Chainlink's Cross-Chain Interoperability Protocol (CCIP). Bitcoin-related tokens issued by Lombard include LBTC and BTC.b. It is reported that Lombard's initial migration assets cover the Solana, Etherlink, Berachain, Corn, and TAC chains, while the use of LayerZero on Morph and Swell will also be terminated. As of now, LayerZero has not responded to requests for comment. (CoinDesk)
Kraken announced on X platform that Chainlink CCIP will become the sole cross-chain infrastructure for kBTC and future wrapped assets, replacing the original LayerZero protocol. This decision followed last month's $292 million LayerZero cross-chain bridge exploit incident at Kelp.Currently, a total of over $3 billion in total value locked has migrated from LayerZero. The migration covers blockchains including Ethereum, Ink, Unichain, and Optimism. The current market cap of kBTC is approximately $260 million. Kraken stated that it will continue to be responsible for the issuance and custody of assets, while Chainlink CCIP will handle cross-chain asset transfers. (coindesk)
Aave posted on X, stating that the first phase of the rsETH technical recovery plan has been completed, including the burning of the attacker's rsETH on Arbitrum.In the coming days, funds will be gradually replenished for the LayerZero OFT adapter, and rsETH-related operations will be restored.
following the Kelp security incident, Tether's asset interoperability protocol USDT0 has disclosed details of its protocol security architecture. It stated that the system currently utilizes a proprietary DVN (Decentralized Verification Network) with message veto authority, and requires 3 independent validators, operating on different codebases, to reach a 3/3 consensus before cross-chain messages can be settled. The current verification nodes include the USDT0 proprietary DVN, LayerZero, and Canary, with future plans to expand to 4/4 and 5/5 verification mechanisms.USDT0 also stated that all multi-signature transactions must undergo multiple reviews by internal teams, external security teams, and auditing firms before signatures are submitted. The relevant contracts have been audited by firms such as Guardian and OpenZeppelin, and a $6 million bug bounty program has been launched on Immunefi.
LayerZero’s official tweet: LayerZero Labs has formally apologized for the security incident that occurred over the past three weeks and for insufficient communication. Regarding the incident, an internal RPC of LayerZero Labs was compromised by the North Korean hacking group Lazarus Group, contaminating the data sources for its Decentralized Verifier Nodes (DVNs). Concurrently, external RPC providers also suffered DDoS attacks. This incident affected a single application—0.14% of all applications—and involved assets valued at approximately 0.36% of LayerZero’s total assets. The LayerZero protocol itself remained unaffected; over $9 billion in assets continued to flow across chains normally following the incident. LayerZero Labs acknowledged that it previously permitted its DVNs to operate under a “1/1” single-node configuration to secure high-value transactions—a setup inherently vulnerable to single-point failure. LayerZero Labs accepts managerial oversight responsibility for this decision. Additionally, LayerZero disclosed that, three and a half years ago, one of its multi-signature signers had mistakenly used a multi-sig hardware wallet for personal transactions. That signer has since been removed, and the associated wallet has been rotated. As corrective measures, LayerZero Labs announced: - It has discontinued support for “1/1” DVN configurations; - It is migrating all paths to a default 5/5 multi-signature configuration, with a minimum threshold of 3/3; - It has developed a second DVN client written in Rust to ensure client diversity.
LayerZero Labs posted on platform X, stating that the internal RPC used by LayerZero Labs had been attacked by the Lazarus Group over the past three weeks, compromising the true source of its DVN (Decentralized Verifier Network). Meanwhile, external RPC providers experienced DDoS attacks. The incident affected 0.14% of applications and approximately 0.36% of asset value. LayerZero Labs stated that assets are currently secure, and over $9 billion in funds have been bridged through the protocol since April 19.In response to the security risk, LayerZero Labs has ceased providing services for its DVN in a 1/1 configuration. Default configurations for all pathways will migrate to a multi-DVN model of at least 3/3 or 5/5 signatures. Additionally, regarding an incident from three years ago where a multi-sig holder mistakenly used a hardware wallet for personal transactions, LayerZero Labs has removed that signer and replaced the wallet, while developing a custom OneSig multi-sig system. LayerZero Labs advises developers to lock configurations to avoid reliance on default settings and plans to launch an asset management platform, Console, to enhance security monitoring.
According to The Block, the Arbitrum DAO voted to release 30,765.6 ETH (approximately $70 million), previously frozen, to support the DeFi United initiative—aimed at offsetting Kelp DAO’s $292 million exploit loss last month. The vote passed with 90.96% support (182.2 million votes). The attack was allegedly carried out by the North Korean Lazarus hacking group, which exploited a vulnerability in LayerZero’s OFT cross-chain bridge—a single-validator configuration—which allowed attackers to steal 116,500 rsETH and pledge most of the stolen assets as collateral on Aave, resulting in roughly $190 million in bad debt. DeFi United has secured contributions from multiple parties, including 30,000 ETH from Consensys and Joseph Lubin, a 30,000-ETH loan from Mantle, and 5,000 ETH from LayerZero.
Solv Protocol has announced the migration of over $700 million in tokenized Bitcoin assets to Chainlink's cross-chain protocol CCIP, and will gradually phase out LayerZero's bridging support across multiple chains. The migration involves core assets such as SolvBTC and xSolvBTC. Solv stated that the decision is based on the latest security reviews and recent cross-chain security incidents, and CCIP will become its standard cross-chain infrastructure. This move follows Kelp DAO's migration of approximately $290 million in assets to Chainlink, further strengthening the trend of "cross-chain infrastructure shifting toward security-first migration." (CoinDesk)
Aave has announced the completion of the liquidation of the remaining rsETH position belonging to the Kelp DAO attacker. The related collateral assets will be transferred to the Recovery Guardian multi-signature wallet managed by DeFi United, to be used for restoring rsETH reserves and compensating affected users.This liquidation is part of the recovery plan following the previous $292 million attack incident. Aave had previously passed a governance vote to temporarily adjust the rsETH oracle price in order to create bad debt in the attacker's position and trigger liquidation. The relevant parameters will be restored upon completion of the liquidation. Previously, the attacker exploited the Kelp DAO cross-chain bridge based on LayerZero to forge 116,500 unbacked rsETH and borrowed ETH from protocols such as Aave and Compound. Currently, the recovery funds managed by DeFi United have exceeded $320 million.
Kelp DAO has announced the migration of its restaking token rsETH to Chainlink CCIP, citing enhanced security as the reason for this move. Previously, a cross-chain bridge built by Kelp DAO on LayerZero was attacked on April 18, with hackers stealing approximately 116,500 rsETH, valued at around $292 million, and using the assets as collateral to borrow WETH on Aave v3.Regarding the cause of the vulnerability, LayerZero previously stated that the issue stemmed from Kelp DAO using a single DVN verification path configuration rather than multiple independent verifications. Kelp DAO responded that this configuration was the default setting and that LayerZero had confirmed its security without flagging any related risks. LayerZero CEO Bryan Pellegrino subsequently denied this claim, stating that Kelp DAO had proactively modified the default multi-DVN configuration. Both parties continue to dispute responsibility for the incident. (Cointelegraph)
According to The Block, Kelp DAO will abandon LayerZero and adopt Chainlink’s Cross-Chain Interoperability Protocol (CCIP) as its cross-chain infrastructure, along with Chainlink’s Cross-Chain Token (CCT) standard. Previously, in April, Kelp DAO suffered a cross-chain bridge attack totaling approximately $292 million; the attackers are suspected to be linked to North Korea’s Lazarus Group and exploited the single-validator configuration of the LayerZero-powered OFT cross-chain bridge to steal 116,500 rsETH. Chainlink states that its CCIP requires at least 16 independent node operators to validate cross-chain transactions.
According to monitoring by on-chain analyst Specter, the Wasabi Protocol attacker has deposited all stolen funds into Tornado Cash, moving approximately $5.9 million into Tornado Cash. Additionally, North Korean hacking groups have also used Tornado Cash to launder stolen funds from KelpDAO and LayerZero. Their process involved first cross-chaining the assets to Bitcoin, then routing them through Wasabi Mixer, extracting and cross-chaining back to Ethereum, depositing into Tornado Cash, subsequently withdrawing to new wallets and dispersing across multiple addresses. The new wallets then deployed tokens, used the stolen funds to buy in, removed liquidity from the deployment wallet, cross-chained to Tron (USDT), held for several hours or days, and finally sent to OTC-related wallets.
Circle Ventures, Consensys, and Joseph Lubin have announced their support for the DeFi United initiative, aimed at mitigating losses caused by the Kelp DAO vulnerability. Circle Ventures is supporting the ecosystem by purchasing AAVE tokens. Consensys and Ethereum co-founder Joseph Lubin have confirmed the provision of 30,000 ETH to DeFi United. To date, DeFi United has raised over 132,000 ETH, with a total value exceeding $300 million. These funds will be used to cover bad debts resulting from an attacker minting unbacked rsETH via the LayerZero bridge and borrowing assets on Aave. Previously, Aave proposed a donation of 25,000 ETH, while Lido DAO, Ether.fi, and Kelp have respectively proposed or pledged donations of 2,500 ETH, 5,000 ETH, and 2,000 ETH.
According to on-chain analyst Ai Aunt (@ai_9684xtpa), the address 0xb5E…Fc24e deposited a total of 1.397 million UNI tokens—worth approximately $4.6 million—into three exchanges two hours ago. Notably, the Bybit deposit address has had multiple interactions with the DeFi crypto fund DeFiance Capital, which is an investor in both Aave and LayerZero—two entities closely linked to the recent Kelp DAO hack incident.
According to The Block, JPMorgan analysts noted in their latest report that ongoing DeFi security vulnerabilities and stagnant growth in total value locked (TVL) continue to constrain institutional enthusiasm for the DeFi sector. Recently, Kelp DAO’s cross-chain bridge suffered a major attack, during which the attacker minted $292 million worth of uncollateralized rsETH tokens and borrowed real ETH on Aave, resulting in approximately $230 million in bad debt. This caused DeFi TVL to evaporate by roughly $20 billion within several days. LayerZero and blockchain security researchers have attributed this attack to the North Korean hacker group Lazarus Group; some of the stolen funds have been frozen, while the rest remain in circulation. Analysts also pointed out that DeFi TVL denominated in ETH has remained range-bound for an extended period, raising market concerns about whether DeFi can achieve organic growth sufficient to support institutional adoption. Furthermore, following each security incident, users tend to shift funds into USDT as a safe-haven asset—yet this trend has not yet significantly driven USDT’s market capitalization growth.