47% of LayerZero OApps Could be the Next Kelp DAO

Over $4.5 Billion Remains Exposed to the Vulnerability Behind the $292M Kelp DAO Hack

What Happened to Kelp DAO?

On April 18, 2026, an unknown attacker, alleged to be Trader Traitor, a DPRK-state linked hacking group exploited a single security setting in Kelp DAO's LayerZero bridge to mint 116,500 unbacked rsETH tokens, worth approximately $292M before using it as collateral to borrow $230M worth of assets on the crypto lending platform Aave, passing the bad debt on to them. This sophisticated attack was enabled by KelpDAO’s 1-of-1 setting of LayerZero’s DVN (Decentralized Verifier Network) configuration. This meant that a single signer, LayerZero in this case, authorized cross-chain messages with no secondary verification required.

Days later, the crypto analytics firm Dune Analytics released an open analysis dataset and it was found that Kelp DAO’s security setting was not unique. Dune’s dataset revealed that 47% of all active LayerZero OApps run a similar 1-of-1 DVN security setting. We then analyzed this dataset and identified the top 10 at-risk assets by market capitalization which represented a combined exposure exceeding $4.5B.

Who Else Uses the 1-of-1 DVN Setting?

The main asset at risk is not a DeFi protocol but rather Tether’s omnichain version of the USDT stablecoin, USDT0. During our snapshot date on April 22, 2026, USDT0 carried a circulating supply of $4.065B, representing over 87% exposure of the top 10 at risk assets. While USDT0 is deployed across 14 blockchains — the majority of which operate on a more secure 2-of-2 DVN configuration — its Ethereum, Optimism, and Base contracts run on a 1-of-1 DVN configuration.

However, a successful exploit of the 1-of-1 contracts could result in unbacked USDT0 minted on Ethereum/Optimism/Base and deposited as collateral on lending markets. This chain of events could ultimately result in bad debt that cascades across the entire ecosystem, regardless of which chain it originated from.

The next project at risk is Pendle Finance’s PENDLE token which sits at over $229M in market capitalization and is deployed across Ethereum, Hyperliquid and Berachain. However, it is important for us to discuss that the exposure for the tokens ranked 2nd - 10th is much lower than that of USDT0 and the gap is not purely a function of market capitalization. This is because the main concern with this attack vector is for the token to be used as collateral to borrow other more valuable, and liquid crypto assets. Attackers will find it hard to cash out their illicitly minted tokens even if they were successful in doing so, but if they were able to collateralize the asset, the situation changes. This is why Kelp DAO’s rsETH was targeted, and is why it becomes dangerous if USDT0 is targeted. Other DeFi governance tokens on this list are unlikely to be accepted as collateral in most crypto lending platforms, making these projects a less attractive target for this specific attack vector.

What Is a 1-of-1 DVN and Why Does It Matter?

LayerZero's security model allows OApp developers to configure which DVNs must independently verify cross-chain messages before they are executed. A 2-of-2 configuration — the minimum widely considered secure — requires two independent signers to agree before any message is processed. A 1-of-1 configuration requires only one. If that single signer's key is compromised, leaked, or socially engineered, an attacker can forge arbitrary cross-chain messages: minting unbacked tokens, draining bridge escrow, or triggering unauthorized transfers.

Currently, LayerZero released a statement and maintained that they strongly communicated and recommended that all projects require at least a 2-of-2 configuration. However, KelpDAO rebutted and said that the 1-of-1 configuration was “the default for any new OFT deployment”.

Methodology

We referred to Dune’s dataset and identified projects using the 1-of-1 DVN configuration by filtering for the column “min_required_dvns” = 1. Dune’s dataset covered ~2,665 unique OApp contracts over a 90-day period ending approximately April 22, 2026. Market capitalization data is sourced from CoinGecko, snapshotted on April 22, 2026. Where the same OApp contract appeared under multiple project labels, entries were deduplicated by retaining the most descriptive named project label.

Projects where the 1-of-1 OApp represents only a subset of a larger independently-existing token supply were excluded, as the exposed fraction could not be reliably quantified. This reasoning specifically excludes wBTC which was initially in our top 10 list. At the time of writing, wBTC also announced an upcoming upgrade to its DVN configuration, to be completed by April 26, 2026, reinforcing this exclusion. USDT0 was included as its Ethereum, Optimism, and Base contracts had the relevant 1-of-1 exposure and route through LayerZero OFT infrastructure. The majority of USDT0's other chain deployments operate on a 2-of-2 DVN configuration.

Conclusion

The Kelp DAO exploit was a wake-up call, and the DeFi ecosystem appears to have heard it. Within hours of the attack, protocols across DeFi moved quickly, pausing markets, freezing collateral, and reviewing their own configurations. USDT0 paused its bridging infrastructure the very next day. That speed of response is encouraging and suggests the industry's incident response muscle has meaningfully improved since earlier generations of DeFi exploits.

The harder truth is that a fast response is not a substitute for a secure configuration. The 47% of LayerZero OApps still running 1-of-1 DVN settings represents a known, documented, and now publicly demonstrated attack surface.

The good news is that this is a solvable problem. Unlike smart contract vulnerabilities that require full redeployments, DVN configurations can be updated by OApp owners directly. The fix is a configuration change, not a protocol overhaul. For projects that have not yet reviewed their settings, the cost of inaction is now considerably clearer than it was on April 17. Even though we excluded wBTC in this list, the team announced that upgrades are in the works and an upgrade away from 1-of-1 DVN configurations is expected by April 26, 2026.  We foresee that many other projects are likely to follow suit, closing this attack vector with time.

If you cite these insights, we would appreciate a link credit to this article on CoinGecko, which allows us to keep supplying you with useful data-led content.

Related: Which was the Worst Year for Crypto Hacks and Exploits

This study is for illustrative and informational purposes only, and is not financial advice.

Raw Data: Top 10 At-Risk Assets by Market Capitalization — Snapshotted April 22, 2026

Market cap data sourced from CoinGecko as of April 22, 2026. DVN configuration and 90-day message volume data sourced from Dune Analytics. Projects are ranked by market capitalization of the specific token/asset routing through the 1-of-1 DVN OApp.