The theft of KelpDAO exposes the vulnerability of DeFi interconnectivity

Last Saturday the crypt community woke up with news that once again put on the table a recurring problem: KelpDAO's wallets were emptied in an operation that, according to the first investigations, points to an actor with extensive resources and state experience. KelpDAO and LayerZero teams detected abnormal activity related to rsETH, the token that represents restated positions, and a few days later it became clear that more than 100,000 rsETH units left the ecosystem, for a value of about $290 million.

KelpDAO is a decentralized finance project (DeFi) focused on liquid restaking: users deposit ETH, the platform restakes those assets and emits rsETH so that the headlines continue to participate in the DeFi economy without losing liquidity. This also moved between chains using the LayerZero messaging layer, which allows to communicate events between different blockchains.

The first public reaction of the project was to pause the contracts related to rsETH in the main Etheum network and in the second layer solutions. KelpDAO reported a "suspicious cross-chain activity" and announced that it would work with partners such as LayerZero and Unichain to clarify what had happened; their initial releases can be read on their public channel on X / Twitter.

The trail in the chain showed that approximately 116,500 rsETH were moved to mixers to hide the origin, including passes through Tornado Cash, and that the transactions did not correspond to legitimate operations recorded in the chain. An independent investigator shared in X / Twitter the tokens count and the estimated value in dollars.

LayerZero, who manages the cross-chain messaging infrastructure, published technical indicators on the method of the attack. According to their statement, the attackers did not directly break the token cryptography but committed critical components of the message verification layer: some RPC nodes used by the validator were poisoned with false data, while at the same time a denial of service (DDoS) attack was carried out against healthy nodes to force dependence on the manipulated sources.

The result was that the system accepted false cross-chain messages, confirming operations that did not really exist in the chain of origin and allowing the transfer of rsETH without the actual authorization of the accounts concerned. This combination of data handling and service saturation shows that it is not always necessary to violate intelligent contracts: attacking peripheral infrastructure can be equally devastating.

In his preliminary assessment, LayerZero pointed to the participation of a very sophisticated and long-term planning actor, explicitly mentioning signs that remind the Lazarus group, linked to North Korea. His words and initial analysis are available in his public statement. your account on X / Twitter.

The attribution to Lazarus is no surprise to those who follow the recent history of large-scale cybercrime: this collective has been related to multiple billion-dollar subtractions in the critical ecosystem in recent years, including another massive operation against Drift that was valued in comparable figures. Research firms and governments have documented how these actors combine technical and human resources to implement complex campaigns.

The practical impact also reached protocols that had accepted rsETH as collateral. Aave, for example, reported that it blocked deposits and loans using rsETH until the situation was clarified; its official announcement is available at X / Twitter. This reaction illustrates the cascade of precautions that can be activated when a reference asset loses reliability: not only the project attacked suffers, but those who had integrated it into their markets.

Beyond the immediate economic shock, this incident again highlights two structural weaknesses: the dependence of external PRC nodes and the fragility of some cross-chain verification mechanisms. When a layer that centralizes validation is compromised, all the trust that had been delegated to it is undone. The technical community has been discussing solutions for a long time: greater decentralization of oracles, redundant verification systems and cryptographic tests to verify the authenticity of messages without relying on a small set of reliable nodes.

The tension between traceability and privacy also reappears: the operation used mixers like Tornado Cash to try to hide the trail of the funds. Although all movements occur in public blockchains, the combination of ofussing techniques and the speed of conversions complicates the tracking work, although the forensic laboratories in lockchain and the security forces have sometimes managed to follow the money and recover assets when there are operational errors of the attacker.

For users and protocol administrators this brings clear lessons: security does not end in the smart contract. Contract audits are still necessary but not sufficient; it is necessary to think of safety as a chain in which each link - PRC nodes, chain messaging, indexation services and oracles - must be resistant to combined attacks and sabotage of availability.

Those interested in the analysis of the phenomenon and reports on State actors can consult resources from specialized firms and technology. LayerZero and KelpDAO posted updates on their official channels, and organizations such as Elliptic or Chainalysis they often publish research on illicit flows in chains. For broader media context, such as Reuters and CoinDesk regularly cover these incidents and their geopolitical background.

In short, the assault on KelpDAO is a raw reminder that DeFi innovation and inter-chain interoperability bring real benefits, but they also expand the attack surface. The technical and regulatory response adopted in the coming months will be key to strengthening user and investor confidence: without controls and resilient architecture, the risk of large-scale incidents will remain a latent threat.