•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
LayerZero said the attack involved compromised RPC nodes and criticized Kelp DAO’s 1-of-1 DVN setup as a single point of failure. Kelp responded that the configuration was LayerZero’s documented default and had previously been confirmed as appropriate.
Kelp DAO responded to criticism following a $292 million exploit that struck its LayerZero-powered cross-chain bridge over the weekend. The April 18 attack led to the loss of 116,500 rsETH tokens, described as the largest decentralized finance exploit recorded so far this year.
According to LayerZero, the attacker—believed to be linked to North Korea’s Lazarus Group—obtained access to a list of RPC nodes used by LayerZero Labs’ decentralized verified network (DVN). LayerZero said the hackers poisoned two RPC nodes and then launched a distributed denial-of-service attack, enabling the DVN to validate a fraudulent cross-chain message.
LayerZero added that the fake message was then used to authorize an illegitimate transaction that drained funds from Kelp DAO’s bridge.
LayerZero openly criticized Kelp DAO’s use of a 1-of-1 DVN configuration, arguing it created a dangerous single point of failure because no independent verifier existed to challenge suspicious activity. LayerZero said it previously communicated best practices around validator diversification and claimed Kelp DAO chose not to adopt them.
Kelp DAO rejected that narrative in a statement posted Monday. It said the 1-of-1 DVN model was the default configuration described in LayerZero’s documentation for new OFT deployments. Kelp also stated it has operated on LayerZero infrastructure since January 2024 and maintained regular communication with the LayerZero team.
In addition, Kelp said that during its expansion to Layer 2 networks, the configuration was explicitly reviewed and confirmed as appropriate at the time.
The protocol said its immediate response measures—including pausing affected contracts and blacklisting wallets tied to the attacker—helped contain further damage. It added that it is now reviewing options to safely resume operations.
The incident also spread to Aave after the exploiter deposited a large amount of stolen rsETH into Aave V3 as collateral, then borrowed significant amounts of WETH and wstETH. Aave warned this could create bad debt depending on how losses are allocated.
Despite the risk, Aave said its DAO maintains a strong balance sheet with $181 million in assets. It also reported receiving commitments from ecosystem participants to help support the protocol if necessary.
Premium gym chains are entering a “golden era” that is ending or already in decline, as rising operating costs collide with shifting consumer preferences toward more flexible, community-based ways to exercise. Long-term memberships are shrinking, margins are pressured by higher rents and facility expenses, and competition from smaller, more personalized…
