KelpDAO $290M Exploit Attributed to North Korea's Lazarus Group

LayerZero attributed a $290 million exploit of KelpDAO’s cross-chain rsETH configuration to North Korea’s Lazarus Group on April 18, describing the attacker as a “highly-sophisticated state actor.” According to LayerZero, the incident was limited to KelpDAO’s rsETH setup and did not spread to other assets or applications using the protocol.

Exploit Mechanics and Attribution

LayerZero says the attack targeted downstream RPC infrastructure used by its Decentralized Verifier Network rather than exploiting the LayerZero protocol itself. The company states that compromised nodes have been replaced and the verifier network is back online. LayerZero attributes the attack to Lazarus Group and its TraderTraitor unit based on preliminary indicators.

Financial Impact on Aave

According to blockchain tracker LookonChain, the exploit led to roughly $292 million worth of rsETH being minted illegitimately. The attacker then used the token as collateral to borrow more than 82,600 Ether (ETH), worth about $195 million, from Aave.

The bad debt triggered large withdrawals from Aave, causing its total value locked (TVL) to fall by $6.28 billion in less than 48 hours, declining from $26.396 billion to $20.114 billion, according to LookonChain.

Major Withdrawals

LookonChain identified major withdrawals following the exploit:

• $431 million from MEXC
• $405.7 million from wallet 0x7CD0, possibly linked to Nonco
• $392 million from Abraxas Capital

Response and Remediation

Aave moved to freeze rsETH markets on V3 and V4 to prevent additional borrowing and deposits while evaluating options to cover any deficit.