DeFi News

Billions at Risk on LayerZero as KelpDAO Hack Exposes Weak Setting: CoinGecko

Denis O.
27 April 2026 3 min read

Nearly half of LayerZero apps still use a weak setup linked to the $292M KelpDAO hack, analysts at CoinGecko warn.

A single setting behind the KelpDAO exploit is now showing up across a much wider chunk of crypto, with billions still sitting in similar setups.

A dataset pulled together by CoinGecko shows around 47% of LayerZero-based apps are using a “1-of-1” verification setup. That’s the exact structure linked to the April 18 attack.

Crypto protocols on LayerZero exposed due to the KelpDAO hack
Crypto protocols on LayerZero exposed due to the KelpDAO hack. Source: CoinGecko

That exploit saw an attacker mint about 116,500 unbacked rsETH tokens worth roughly $292 million. The hacker then used those tokens on Aave to borrow around $230 million in real assets, with the bad debt spreading through and infecting the lending system.

Read also: JPMorgan: Why DeFi Hacks Scare Off Large Investors

Contents
  1. 1.Over $4B Still Exposed After KelpDAO Hack
  2. 2.Unfinished Fixes

Over $4B Still Exposed After KelpDAO Hack

The same analysis puts more than $4.3 billion of assets in setups like this. Most of that sits in USDT0, another stablecoin issued by Tether, with roughly $4 billion in supply at the time.

USDT0 runs across 14 chains, but its contracts on Ethereum, Optimism, and Base still rely on the weaker setup. If something similar hits there, it could mean “unbacked USDT0 minted” and then used as collateral, the analysts explain.

  • As CoinGecko lays it out, this kind of attack isn’t really about dumping fake tokens on the market. Attackers “will find it hard to cash out their illicitly minted tokens,” but if those tokens can be posted as collateral “the situation changes.”

LayerZero lets apps decide how many independent verifiers need to approve cross-chain messages. A “2-of-2” setup needs two sign-offs, while a “1-of-1” only needs one.

LayerZero said it had “strongly communicated and recommended that all projects require at least a 2-of-2 configuration.” But KelpDAO pushed back, saying the weaker setup was “the default for any new OFT deployment.”

Unfinished Fixes

The reaction across DeFi was fast, especially given the scale and the involvement of Aave. Markets were paused, collateral was frozen, and teams started checking their setups almost immediately.

A group of protocols led by Aave Labs has now taken the next step. They filed a constitutional proposal with the Arbitrum community asking to release around 30,765 ETH$1,668.40 that had been frozen, which is roughly $71 million, locked by Arbitrum’s Security Council on April 21

The funds are tied to the attacker, and if the proposal passes, they would be redirected to help restore backing for the rsETH token.

Read more: DeFi TVL Drops $13B as KelpDAO $300M Hack Hits Aave Markets

Tags: Hack
Denis O.

Denis O.

Crypto news reporter at Bitcoin Foundation covering topics including crypto markets, DeFi exploits, and regulatory developments. He was previously a reporter at The Defiant, crypto.news, currency.com, iHodl, BeInCrypto, and other…

Related Articles