This article was first published on The Bit Journal. Liquid restaking protocol Kelp DAO has announced it will move its rsETH cross-chain infrastructure to Chainlink Cross-Chain Interoperability Protocol (CCIP) in a significant security redesign of Kelp DAO following one of the largest cross-chain decentralized finance exploits of 2026.
The move follows less than three weeks since attackers emptied 116,500 rsETH worth approximately $292 million of Kelp DAO over LayerZero on April 18. Blockchain investigators later confirmed that the stolen assets were routed into lending markets, where they were deposited as collateral on Aave v3 to borrow wrapped Ether, intensifying liquidity stress across DeFi.
Kelp DAO Begins Chainlink Security Migration
Kelp DAO posted a statement on X saying the migration is intended to make rsETH completely safe after the exploit. The protocol will now make the transition to abandon LayerZero Omnichain Fungible Token (OFT) framework and instead adopt the Cross-Chain Token standard of Chainlink, a transition that Kelp believes will enhance long-term cross-chain security.
After the recent LayerZero exploit, we are taking steps to ensure rsETH is fully secure, which is why we are migrating to @chainlink CCIP.
From the April 18 incident, it is clear that LayerZero's own infrastructure was exploited, resulting in $300M in losses across DeFi.… https://t.co/beIrfZZLlh
— Kelp (@KelpDAO) May 5, 2026
The April 18 attack soon became the biggest DeFi exploit of the year, with market observers estimating that close to 18 per cent of the circulating supply of rsETH was impacted. Subsequently, it was discovered by security researchers that the exploit was not a result of a smart contract bug, but a consequence of compromised off-chain verification infrastructure associated with bridge settings of Kelp.
Nonetheless, the event has led to a public fight between Kelp DAO and LayerZero Labs over ownership of the breach.
Dispute Emerges Over LayerZero Verifier Configuration
Kelp DAO states that the bridge had been configured on LayerZero prior to the exploit, and that LayerZero had previously approved the bridge under these controversial 1-of-1 Decentralized Verifier Network settings the same setting LayerZero later identified as the root cause of the exploit. In the integration discussions which date back to January 2024, Kelp discussed the verifier arrangement and confirmed it as secure at the time.
— Kelp (@KelpDAO) May 5, 2026
The Kelp DAO team also cited analytics data that indicated that almost half of LayerZero-integrated applications were using single-verifier configurations, which casts doubt on whether the risks were well-communicated to developers prior to the hack.
Kelp also cited screenshots of Telegram chats which purportedly had LayerZero aware of the configuration, but which have not been independently verified.
LayerZero Responds to Kelp DAO Allegations
Bryan Pellegrino, co-founder and CEO of LayerZero, has strongly disputed the version of events that Kelp DAO has presented, noting that many of the claims presented by Kelp are completely untrue.
In a response on X, Pellegrino replied that Kelp DAO originally deployed rsETH with LayerZero in its default multi-verifier configuration before later switching to a single-verifier model on its own something he said was never intended to be used in production.
After the exploit, LayerZero said it would stop accepting cross-chain messages to serve applications that use single-verifier setups. The company added that affected protocols, including integrations connected to Kelp, are now being migrated to multi-DVN configurations, with an independent postmortem expected soon. In the meantime, the repercussions of Kelp have spread to the courts.
Following the KelpDAO hack, we built an open analysis of DVN security configurations across every active OApp on LayerZero over the last 90 days.
Of ~2,665 unique OApp contracts: 47% run a 1-of-1 DVN security floor, 45% run 2-of-2, and ~5% run 3-of-3 or higher.
As we know,…
— Dune | We Are Hiring! (@Dune) April 20, 2026
Aave Challenges Frozen ETH Restraining Order
Aave LLC filed an emergency motion in New York on May 4 seeking to lift a restraining notice served on Arbitrum DAO over approximately $71 million in frozen Ether connected to the Kelp DAO rsETH exploit.
The assets 30,765.6675 ETH frozen by the Security Council of Arbitrum on April 21 are the focus of a burgeoning legal dispute over ownership, recovery rights, and claims that the exploit is connected to the Lazarus Group. Aave says no court has officially linked the attackers to North Korea, and argues that the funds belong to users who were impacted by the Kelp breach and not the hackers.
Conclusion
As Kelp DAO pushes ahead with its Chainlink migration, the protocol now faces both technical recovery and mounting legal scrutiny. The rsETH incident has the potential to influence the future security of cross-chain infrastructure, as the incident involved millions of frozen assets, competing stories about the exploit, and an industry-wide reevaluation of bridge security.
Follow us on Twitter and LinkedIn, and join our Telegram channel to be instantly informed about breaking news!
Summary
- Kelp DAO shifts rsETH to Chainlink CCIP after $292M LayerZero exploit.
- Single-verifier setup blamed, sparking dispute with LayerZero Labs.
- Aave challenges $71M ETH freeze tied to user recovery.
Glossary of Key Terms
Kelp DAO: DeFi protocol for liquid restaking and rsETH issuance.
rsETH: Liquid restaked Ethereum token used in DeFi.
Chainlink CCIP: Cross-chain protocol for secure blockchain communication.
LayerZero: Protocol enabling cross-chain messaging and transfers.
DeFi: Blockchain-based financial system without intermediaries.
Aave v3: DeFi lending platform version 3.
DVN: Network of verifiers for cross-chain validation.
Arbitrum DAO: Governance body of Arbitrum network.
Lazarus Group: Cybercrime group linked to crypto hacks.
Frequently Asked Questions about Kelp DAO
1. Why is Kelp DAO moving rsETH to Chainlink CCIP?
To improve security after a $292M exploit on LayerZero.
2. What caused the rsETH hack?
A risky single-verifier (DVN) setup compromised off-chain validation.
3. What is the dispute with LayerZero Labs?
Kelp says the setup was approved; LayerZero denies responsibility.
4. Why is Aave involved?
Stolen funds were used on Aave, now tied to a $71M freeze dispute.
References
Disclaimer
The article is purely informational and it is not a financial, investment, or a trading advice. Cryptocurrencies are extremely risky and volatile. Before investing, the readers are to conduct personal research and seek the advice of a qualified financial expert.
The price predictions and financial analysis presented on this website are for informational purposes only and do not constitute financial, investment, or trading advice. While we strive to provide accurate and up-to-date information, the volatile nature of cryptocurrency markets means that prices can fluctuate significantly and unpredictably.
You should conduct your own research and consult with a qualified financial advisor before making any investment decisions. The Bit Journal does not guarantee the accuracy, completeness, or reliability of any information provided in the price predictions, and we will not be held liable for any losses incurred as a result of relying on this information.
Investing in cryptocurrencies carries risks, including the risk of significant losses. Always invest responsibly and within your means.
For advertising inquiries, please email . [email protected] or Telegram
