The LayerZero team has publicly issued an “overdue apology” after the rsETH incident on April 18th, in which KelpDAO was drained of approximately USD 293 million through a LayerZero-powered bridge. The company acknowledged that while the LayerZero protocol itself remained unaffected, its own internal Remote Procedure Calls (RPCs) used by the LayerZero Labs DVN were attacked by the Lazarus Group while external RPC providers were simultaneously DDoS’d (a Distributed Denial of Service attack).
LayerZero admitted it “made a mistake by allowing our DVN to act as a 1/1 DVN for high-value transactions” and will no longer support such configurations.
Key updates from LayerZero
The LayerZero update includes several immediate actions:
- The LayerZero Labs DVN no longer services 1/1 DVN configurations
- All defaults on all pathways are being migrated to 5/5 or 3/3 multisig configurations
- A second Decentralized Verifier Network (DVN) client written in Rust is under development for client diversity
- A more robust RPC quorum configuration has been implemented
- LayerZero introduced OneSig, a unique multisig-style wallet, allowing users to securely sign all transactions across all chains
LayerZero has updated a disconnected incident regarding a multisig signer who used their multisig hardware wallet to conduct personal trades three and a half years ago. The signer was removed, wallets rotated, and security procedures have since been upgraded with anomaly detection software on each signing device.
So far, the blockchain firm claims that no other applications have been affected and all assets are safe. They also showed that, since April 19 (the day after the KelpDAO exploit), around USD 9 billion has been moved across the protocol.
Aave’s rsETH recovery plan (Phase II)
The rsETH recovery plan from Aave has made significant progress. On May 6, the thief’s eight identified positions on Aave V3 were liquidated, and the retrieved rsETH collateral was transferred to the Recovery Guardian as approved by Aave DAO governance. Mantle DAO’s proposal to be a part of the ‘DeFi United’ initiative passed with overwhelming support; Arbitrum DAO’s proposal to send the USD 71 million worth of stolen ETH to the Aave protocol users has reached quorum and passed.
In a legal precedent, a U.S. federal judge has approved Aave LLC’s proposal, using an order to permit an onchain Arbitrum DAO vote to relocate frozen ETH to Aave LLC, with the restraining order to follow and attach upon transfer. Additionally, as a contingency matter, separate funds will be borrowed to cover any difference until the immobilized ETH is rightfully restored.
The next phase of the rsETH recovery plan focuses on:
- Burning liquidated rsETH on Arbitrum
- Retiring the corresponding LayerZero packet on Ethereum to prevent new rsETH minting
- Sending seized rsETH to the bridge lockbox on Ethereum
- Restoring rsETH backing using committed ETH from the DeFi United coalition
- Reopening rsETH withdrawals once backing is restored
How to check compensations
Affected users can monitor compensation progress through the following resources:
- LayerZero compensation checker: layerzero-compensation.app
- Aave recovery checker: checker-aave.net
Community reaction
Different responses were given by the community. On the one hand, many appreciated LayerZero’s direct apology and concrete actions; on the other hand, some others noted the apology came too late after the incident. Nevertheless, Aave’s transparent rsETH recovery plan has been widely praised, with users expressing relief that funds are moving toward victims’ restitution.
But, even with the “near-to-resolution” exploit, KelpDAO has decided to migrate from LayerZero to Chainlink’s Cross-Chain Interoperability Protocol (CCIP) infrastructure. Surprisingly, after two days of this case, Solv Protocol has also announced the same move, leaving the community wondering if other projects could follow.




