News 
Coin Information 
About us 
Customer Service 
LayerZero said a roughly $290 million security incident tied to KelpDAO likely involved a state-linked actor associated with North Korea’s Lazarus Group—an event that is rippling into broader concerns about DeFi leverage, oracle risk, and the restaking ecosystem’s growing integration with major lending venues.
In a post on X on April 20 UTC, LayerZero stated that KelpDAO was attacked and that early findings suggest tactics consistent with ‘TraderTraitor,’ a Lazarus-linked cluster often cited in investigations of high-end, state-sponsored intrusions. LayerZero emphasized that the impact was limited to the construction of rsETH and that other cross-chain assets and applications were not affected.
According to LayerZero, the incident did not stem from a flaw in the LayerZero protocol itself. Instead, the attacker targeted the downstream infrastructure used by the LayerZero Labs-operated Decentralized Verification Network (DVN), exploiting the fact that KelpDAO had configured a single-DVN setup—creating an effective ‘single point of failure’ for that particular application flow.
LayerZero detailed an attack chain focused on sub-RPC infrastructure used by the DVN. The attacker allegedly obtained the RPC list, compromised two nodes, replaced the op-geth binary, and simultaneously launched DDoS attacks against legitimate RPC endpoints. That sequence triggered failover behavior and allowed the DVN to be manipulated into appearing to approve transactions that, in reality, had not occurred, LayerZero said. The affected RPC nodes have since been shut down and replaced, and the LayerZero Labs DVN is operating normally, the company added.
The incident has also raised questions about second-order consequences for DeFi lending markets where rsETH is used as collateral. DefiLlama founder 0xngmi outlined three potential resolution paths, warning that depending on how losses are allocated, Aave could face significant bad debt exposure.
In one scenario, losses are socialized across users, implying around an 18.5% haircut per user and rendering the net value of roughly 666,000 rsETH positions across Aave deployments effectively impaired. Under an assumption of 95% liquidation thresholds across chains, 0xngmi estimated potential bad debt of about $216 million, which could be partially covered by Umbrella (about $55 million) and Aave’s available funds (about $85 million), leaving an additional gap that might need to be filled via borrowing or the sale of Aave ($AAVE) tokens.
A second approach would concentrate losses on L2 rsETH holders. Under that framework, Aave’s exposure could rise to about $359 million based on oracle pricing, with potential bad debt of up to $341 million in a max-borrow scenario. 0xngmi argued that Umbrella alone may be insufficient in that case, and suggested Aave could be forced to triage support—potentially exiting certain L2 markets such as Arbitrum, Mantle, and Base if the cost of making lenders whole becomes untenable.
A third proposal would attempt to revert to a pre-attack snapshot and compensate only the portion the attacker borrowed. 0xngmi estimated the attacker’s borrow at roughly $124 million on Aave’s mainnet market plus about $18 million on Arbitrum, with losses potentially reduced to around $91 million after applying Umbrella. However, he cautioned that the feasibility is low because funds have already moved broadly and protocol pools generally cannot cleanly distinguish depositors after the fact.
The episode underscores how infrastructure security and configuration choices—such as single versus multi-DVN designs—can cascade through composable DeFi stacks. LayerZero said it is urging applications using 1-to-1 DVN configurations to migrate toward redundant multi-DVN setups as an industry best practice to reduce concentrated operational risk.
Elsewhere in the market, Whale Alert reported that an anonymous wallet deposited about $141.2 million in USD Coin (USDC) into Binance, a transfer observed on Ethereum. Large stablecoin deposits can signal ‘liquidity inflow’ for potential spot buying or internal treasury rebalancing, though the specific intent behind the transaction was not confirmed.
Institutional and corporate Bitcoin accumulation remained a focal point. A market observer wrote on X that Strategy could potentially buy more than 25,000 Bitcoin (BTC) within hours—an unconfirmed claim that, if realized, would represent around $2 billion in demand at current prices and further tighten liquid supply. Strategy has repeatedly acted as a major corporate buyer in prior cycles, but no official filing accompanied the speculation.
In France, listed company Capital B added 12 BTC, bringing its total holdings to 2,937 BTC, according to BitcoinTreasuries.NET data cited by Odaily. The purchase places the company 26th on the “Bitcoin 100” corporate holdings ranking, highlighting the persistence of Bitcoin’s role as a treasury asset for a growing cohort of public firms.
Security concerns also extended beyond digital exploits. Odaily reported that France has recorded at least 41 incidents this year involving kidnappings and home-invasion robberies targeting crypto holders—so-called ‘wrench attacks’ where attackers use physical coercion to force transfers. CertiK and Jameson Lopp have tracked a sharp rise in such cases globally, with confirmed physical coercion incidents in 2025 increasing substantially year over year. Analysts say the irreversible nature of crypto transfers and the ease of converting stolen assets into stablecoins or moving them cross-chain has made individuals—rather than wallets or exchanges—an increasingly attractive attack surface.
Finally, geopolitical headlines added another layer of uncertainty to risk sentiment. Iranian officials said there are no plans for a second round of talks with the U.S. and reiterated warnings over escalating tensions, including statements related to the Strait of Hormuz—a critical corridor for global oil flows. While crypto markets often trade as a high-beta risk asset in the short term, periods of heightened geopolitical stress can amplify volatility across both digital assets and broader macro-linked markets.
For crypto investors, the KelpDAO incident is a reminder that ‘protocol security’ is only one piece of the risk equation. As restaking and cross-chain tooling become more deeply embedded across DeFi, operational dependencies—from RPC providers to verification networks—can still become the weakest link, with consequences that spread quickly into leveraged lending venues and collateral markets.
🔎 Market Interpretation
- 290M security incident expands beyond one protocol: LayerZero says the KelpDAO-linked exploit likely involved Lazarus/“TraderTraitor,” but stresses the LayerZero protocol was not directly breached; the weakness was in downstream DVN-related infrastructure and KelpDAO’s configuration.
- Single point of failure in composable DeFi: A single-DVN setup turned an operational dependency (DVN + RPC failover behavior) into an application-level critical risk, illustrating how “secure base layers” can still fail via integrations.
- Contagion risk via collateralized lending: The main market worry shifts to rsETH as collateral on Aave and related venues—how losses are allocated could translate into sizable bad debt and forced risk-off actions (market exits, recapitalization, or token sales).
- Risk sentiment remains mixed: Separate signals include a large USDC deposit to Binance (possible liquidity positioning) and ongoing corporate BTC accumulation narratives, while geopolitical tensions and rising physical “wrench attacks” add tail-risk premiums.
💡 Strategic Points
- Validate “where verification happens,” not just the bridge/protocol: The alleged chain—RPC list acquisition → node compromise → op-geth replacement → DDoS on legit endpoints → failover manipulation—highlights that verification networks and their RPC backends must be threat-modeled like core protocol components.
- Prefer redundancy and diversity: LayerZero urges migration from 1-to-1 (single) DVN to multi-DVN designs to reduce concentrated operational risk and make approval manipulation materially harder.
- Collateral risk management for lenders: For platforms and users, monitor rsETH collateral parameters (LTV/liquidation thresholds, oracle feeds) and be prepared for emergency actions (caps, freezes, higher haircuts) when collateral integrity is questioned.
- Resolution paths imply different winners/losers:
- Socialized losses: ~18.5% haircut cited; potential Aave bad debt estimate ~216M, partially offset by Umbrella (~55M) and Aave funds (~85M).
- Concentrated losses on L2 rsETH holders: Exposure could rise (~359M) with bad debt up to ~341M in max-borrow case; could force triage/exit of cost-inefficient L2 markets.
- Snapshot revert / borrower-only compensation: Targets attacker borrow (~124M mainnet + ~18M Arbitrum), potentially reducing losses (~91M after Umbrella), but may be impractical due to fund dispersion and pool accounting limits.
- Operational security is now an “asset-level” risk factor: As restaking/cross-chain tooling embeds into lending, investors should treat infrastructure dependencies (RPC providers, DVNs, oracles) as part of the asset’s risk premium—especially when leverage is involved.
- Non-digital threats are rising: Increased kidnappings/home invasions targeting crypto holders in France underscores personal security and custody hygiene as part of risk management, not an afterthought.
📘 Glossary
- LayerZero: Cross-chain messaging infrastructure used by applications to pass verified messages between blockchains.
- KelpDAO: A restaking-related protocol tied here to rsETH construction; reportedly the application affected by the incident.
- rsETH: A restaked ETH derivative token referenced as impacted in its construction process and used as collateral in DeFi lending.
- DVN (Decentralized Verification Network): A verification component that helps confirm cross-chain messages/transactions; misconfiguration (single DVN) can create concentrated risk.
- RPC (Remote Procedure Call) endpoint: The server interface nodes expose for blockchain reads/writes; compromising RPC infrastructure can distort what systems “see” as on-chain truth.
- DDoS: Distributed denial-of-service attack intended to overwhelm endpoints and force outages/failovers.
- op-geth: An Optimism-stack variant of the Geth client; replacing binaries can enable malicious behavior at the node level.
- Oracle pricing / Oracle risk: Price feeds used by DeFi protocols; if inputs are wrong or manipulated, collateral and liquidation logic can break.
- Aave bad debt: Debt left uncovered when collateral value/availability is insufficient, potentially requiring backstops, reserves, or governance actions.
- Umbrella: Referenced as a coverage/backstop source that may absorb part of losses.
- Liquidation threshold: Collateralization parameter that determines when a position becomes liquidatable; higher thresholds can increase systemic sensitivity during collateral shocks.
- Wrench attack: Physical coercion used to force victims to transfer crypto, exploiting the irreversibility of transactions.
Comment 0