LayerZero has pinned the blame for a roughly $290 million hack on KelpDAO squarely on a sophisticated attack by North Korea’s Lazarus Group, while stressing that its core protocol emerged unscathed.
In a detailed incident report released April 20, the cross-chain messaging firm said the breach, which unfolded on April 18, targeted KelpDAO’s rsETH liquid restaking token through its LayerZero-powered bridge.
Attackers drained about 116,500 rsETH — roughly 18% of the token’s circulating supply — by tricking the system into releasing funds without corresponding burns on the source chain.
LayerZero’s statement painted a clear picture of the attack vector. The perpetrators, preliminarily identified as Lazarus Group (also known as TraderTraitor), focused on poisoning downstream remote procedure call (RPC) nodes that feed data to LayerZero Labs’ Decentralized Verifier Network (DVN).
They compromised at least two RPCs with fake blockchain data, then launched a distributed denial-of-service (DDoS) assault on the remaining legitimate nodes. This forced the DVN to failover and validate nonexistent transactions.
Crucially, the exploit only succeeded because KelpDAO had configured its integration with a single 1/1 DVN setup — a lone verifier with no redundancy. “This created a single point of failure,” LayerZero noted, adding that the team had repeatedly advised KelpDAO to adopt a multi-DVN architecture for better security. The incident did not stem from any bug in LayerZero’s underlying protocol or key infrastructure.
The company moved quickly to contain the damage. Affected RPC nodes were taken offline and replaced, restoring full DVN operations within hours.
LayerZero confirmed the impact stayed isolated to KelpDAO’s rsETH application, with “no contagion” to other assets, bridges, or integrated protocols. It urged all projects using its technology to switch to multi-verifier setups immediately.
KelpDAO acknowledged the suspicious cross-chain activity shortly after the drain and paused rsETH contracts across Ethereum mainnet and several layer-2 networks. The protocol is coordinating with LayerZero, Unichain, auditors, and external security experts on a root-cause analysis. Downstream platforms like Aave froze rsETH-related markets to limit potential bad debt exposure.
The episode underscores persistent risks in cross-chain infrastructure, even as LayerZero emphasized the modular design of its system allows applications to choose their own security parameters.
Also read: Aave Faces Mounting Bad Debt Crisis After $292M KelpDAO Exploit
