The most expensive blame game in 2026 DeFi started on April 20th. LayerZero published its official post-mortem of the $292 million Kelp DAO hack, and the attribution is damning: Lazarus Group, specifically the TraderTraitor subunit — the same North Korean cyber operation behind the $1.4 billion Bybit exploit in 2025. But while the document names the attacker, LayerZero shifts technical responsibility squarely onto Kelp. Within hours, KelpDAO fired back.
LayerZero
Lazarus Strikes Twice in 18 Days
The aggregate damage is staggering. Drift Protocol on Solana, April 1: $285 million. Kelp DAO on Ethereum, April 18: $292 million. Total: over $575 million drained by the same North Korean unit in under three weeks, using entirely different attack vectors each time.
- Drift: social engineering targeting multisig signers on the Security Council, with a custom-fabricated CVT token
- Kelp: compromise of two LayerZero RPC nodes combined with DDoS attacks on backups to force failover
- TraderTraitor is now confirmed as the single most dangerous threat actor for DeFi in 2026, with 18 attributed attacks since January according to Elliptic
For a full reconstruction of the Drift incident, read our analysis of crypto's worst week of 2026.
LayerZero vs. Kelp: Who Is Really Responsible?
The core of the dispute is the 1/1 DVN configuration — a single verifier authorizes all cross-chain messages, with zero redundancy. LayerZero claims it repeatedly recommended a multi-DVN setup to Kelp. KelpDAO counters that the 1/1 setup was LayerZero's own GitHub default, currently used by 40% of protocols on the infrastructure.
Preliminary indicators suggest attribution to Lazarus Group, more specifically TraderTraitor.
Zach Rynes, community liaison at Chainlink, was among the first to respond on X: LayerZero is deflecting responsibility for its own compromised DVN infrastructure. That position was technically confirmed by banteg of Yearn Finance, who reviewed LayerZero's public deployment: the reference configuration ships with single-source verification as default on Ethereum, BSC, Polygon, Arbitrum, and Optimism.
47% of LayerZero Apps Are Still Vulnerable
Data from Dune Analytics, published on April 20th, is the story inside the story. Of 2,665 active OApps analyzed over the past 90 days, 47% operate with a 1-of-1 security floor. LayerZero has announced it will halt message signing for any app running a 1/1 setup, forcing migration for hundreds of projects in the coming weeks.
- DeFi TVL: dropped from $99.5B to $86.3B in 48 hours, a $13.2 billion wipeout
- Aave: $8.45 billion in deposits withdrawn, ETH/USDT/USDC markets at 100% utilization
- Tokens hit: AAVE -22%, ZRO -22%, LDO -19%, ENA -13%, COMP -10%
The Question the Entire Ecosystem Is Asking
If 47% of LayerZero bridges are still running the same fragile configuration, how many more $292 million losses will it take before cross-chain DeFi seriously rethinks its single points of failure? Composability is DeFi's superpower — but when one node breaks, whether RPC, DVN, or multisig, every connected protocol becomes a domino. The Kelp hack is not just a post-mortem; it is a stress test that the whole sector failed.
