Key Takeaways:
KelpDAO was exploited to the tune of roughly $290M in a focused assault involving a extra superior attacker, probably a Lazarus Group.The assault took benefit of a single-DVN configuration, which poses a important level of failure.LayerZero assures zero influence on different apps, and the incident is totally segregated.
The cross-chain safety has been questioned by a large-scale DeFi exploit as a result of KelpDAO turning into a sufferer of one of many highest exploits in 2026. LayerZero has revealed a breakdown that describes the core difficulty and refutes the allegations of a protocol-level weak spot.
KelpDAO Exploit Breakdown
On April 18, an assault on the rsETH system of KelpDAO value the group about $290 million. LayerZero signifies that there was no exploit of sensible contract bugs or key leakage.
https://t.co/3vIHs3Xgs4
— LayerZero (@LayerZero_Core) April 20, 2026
Somewhat, attackers focused infrastructure, specifically RPC nodes of the verifier system of LayerZero.
They hacked into choose RPC endpoints and overwrote their binaries with malicious functions. These nodes handed on incorrect transaction data to the verifier, however they nonetheless reported common data elsewhere, therefore protecting up this assault in actual time.
Attackers put down an RPC node in wholesome situation utilizing DDoS assault to perform the operation. This manoeuvre compelled the system to change to the compromised nodes, shedding the validity of actual cross-chain messages and accepting the pretend ones.
Learn Extra: $7.6M DeFi Exploit Rocks Rhea Finance as Hackers Manipulate Swimming pools in Hours
Single DVN Setup Created the Weak Level
The server downside was rooted in KelpDAO’s choice on how the server must be configured.
Why the Setup Failed
The system is dependent upon a single verification (1-of-1 DVN) and not using a backup layer or impartial verification. Because of the lack of redundancy and no scheme to determine or test pretend knowledge, manipulated data continues to be acceptable as professional.
LayerZero emphasised that it has persistently really useful a multi-DVN mannequin. Below that setup, a number of impartial verifiers should agree earlier than a transaction is accepted.
Superior Ways Linked to Lazarus
The assault reveals a brand new degree of sophistication. LayerZero attributes it to a state-backed group, seemingly North Korea’s Lazarus (TraderTraitor unit). Methods used embody:
RPC knowledge poisoning with selective responsesCoordinated DDoS to set off failoverSelf-destructing malware to erase proof
Such strategies enabled the attackers to evade surveillance mechanisms and as a substitute carry out unfazed throughout the interval of exploitation.
Fast Actions Taken
Necessities at the moment are being tight within the LayerZero ecosystem:
It should now not assist single-DVN configurationsInitiatives are being inspired to change to multi-DVN designsRegulation enforcement companies are concerned within the investigationOngoing monitoring actions to reclaim stolen quantities
A change in assault patterns was evident within the incident. Somewhat than cracking code, attackers are going after infrastructure and poorly configured areas, which regardless of typically being uncared for, are equally of excessive precedence.
Learn Extra: Resolv Burns 46M USR After $80M Exploit, Wipes Out Illicit Provide in Main Restoration Push
