LayerZero: KelpDAO Attack Limited to Its rsETH Configuration, Protocol Itself Has No Vulnerabilities

Odaily News LayerZero Labs posted on X platform stating that KelpDAO suffered an attack on April 18, resulting in a loss of approximately $290 million, with preliminary judgment pointing to the Lazarus Group as the attacker. The attack was carried out by poisoning the downstream RPC infrastructure relied upon by KelpDAO's decentralized verification network (DVN). The attacker controlled some RPC nodes and, in conjunction with a DDoS attack, induced the system to switch to malicious nodes, thereby forging cross-chain transactions. The affected RPC nodes have now all been taken offline and replaced, and the DVN has resumed operation.

LayerZero emphasized that this incident was limited to KelpDAO's rsETH application configuration and did not affect other assets or applications. KelpDAO's adoption of a single DVN architecture and lack of a multi-DVN redundancy mechanism led to its inability to identify forged messages. The LayerZero protocol itself has no vulnerabilities, and applications configured with multiple DVNs were not affected. LayerZero will promote the migration of all single-DVN configured projects to a multi-DVN architecture, has suspended signature and verification services for 1/1 configured applications, and is assisting law enforcement agencies in tracking the stolen funds.