Caroline Bishop
Apr 24, 2026 05:02
Almost half of LayerZero OApps share the identical dangerous 1-of-1 DVN configuration exploited within the $292M Kelp DAO hack. Here is what it means for the ecosystem.
The $292 million exploit of Kelp DAO on April 18, 2026, has uncovered a important safety flaw in LayerZero’s interoperability protocol. In response to a examine by Dune Analytics, 47% of LayerZero-powered omnichain functions (OApps) presently function with the identical weak 1-of-1 Decentralized Verifier Community (DVN) configuration that enabled the assault. The mixed publicity of those at-risk belongings exceeds $4.5 billion.
The Exploit: What Went Incorrect?
Kelp DAO’s misconfigured 1-of-1 DVN setup allowed a single compromised verifier to mint 116,500 unbacked rsETH tokens, valued at $292 million. These tokens had been then used as collateral on Aave to borrow $230 million price of belongings, pushing the dangerous debt onto the lending platform. This vulnerability contradicts LayerZero’s beneficial 2-of-2 DVN setup, which requires a number of impartial verifiers to approve cross-chain messages, including a layer of safety.
Investigators have linked the assault to North Korea’s Lazarus Group, a hacking syndicate infamous for high-profile crypto heists. The exploit focused LayerZero’s off-chain infrastructure, poisoning RPC nodes and successfully hijacking the DVN validation course of.
Key Property at Threat
The Dune Analytics report highlighted that Tether’s omnichain stablecoin, USDT0, represents the most important portion of the uncovered $4.5 billion. USDT0’s Ethereum, Optimism, and Base deployments make the most of the dangerous 1-of-1 configuration. With a circulating provide of $4.065 billion, USDT0 accounts for 87% of the recognized threat. Whereas the vast majority of USDT0’s cross-chain actions are secured by 2-of-2 configurations, a breach in these particular contracts may have cascading results throughout lending markets and past.
Different weak belongings embrace Pendle Finance’s PENDLE token ($229 million market cap) and Aethir’s ATH token ($117 million market cap). Nevertheless, these tokens are much less prone to be exploited as they’re not often accepted as collateral on main lending platforms, in contrast to USDT0.
Implications for DeFi
The Kelp DAO incident underscores the systemic threat posed by the 1-of-1 DVN configuration. Trade greatest practices suggest redundancy and variety in DVN setups to forestall single factors of failure. Whereas LayerZero has publicly urged OApp builders to undertake safer configurations, criticism has emerged that the 1-of-1 setup is the default for brand spanking new deployments, as famous by Kelp DAO of their rebuttal.
This isn’t only a technical subject—it’s a governance one. Within the fast-moving DeFi area, the duty to implement safe configurations typically falls on particular person tasks, lots of which can lack the experience or assets to take action successfully. The result’s a fragmented ecosystem the place important infrastructure is simply as safe as its weakest hyperlink.
The Path Ahead
Encouragingly, the Kelp DAO exploit has spurred rapid motion. Inside days, LayerZero deprecated compromised RPC nodes and introduced a coverage to cease signing messages for functions utilizing 1-of-1 configurations. USDT0 additionally paused its bridging infrastructure, signaling a proactive trade response.
Crucially, fixing these vulnerabilities doesn’t require a whole protocol overhaul. DVN configurations might be up to date straight by OApp house owners, making this a solvable downside. Wrapped Bitcoin (wBTC), as an illustration, has already introduced its transition away from 1-of-1 DVN setups, with upgrades anticipated by April 26, 2026.
What Merchants Ought to Watch
For buyers, the important thing takeaway is evident: take note of the safety configurations of belongings you maintain, significantly these deployed on LayerZero. Tokens like USDT0 stay high-risk till their DVN configurations are up to date. Any exploit focusing on these belongings may ripple throughout lending platforms and the broader DeFi ecosystem, probably impacting liquidity and market stability.
The Kelp DAO hack is a stark reminder that in crypto, decentralization with out sturdy safety is a recipe for catastrophe. Initiatives and buyers alike should prioritize safe configurations to safeguard the way forward for DeFi.
Picture supply: Shutterstock