Key Takeaways:
KelpDAO was exploited to the tune of roughly $290M in a focused assault involving a extra superior attacker, most definitely a Lazarus Group.The assault took benefit of a single-DVN configuration, which poses a essential level of failure.LayerZero assures zero impression on different apps, and the incident is totally segregated.
The cross-chain safety has been questioned by a large-scale DeFi exploit because of the KelpDAO changing into a sufferer of one of many highest exploits in 2026. LayerZero has revealed a breakdown that describes the core problem and refutes the allegations of a protocol-level weak spot.
KelpDAO Exploit Breakdown
On April 18, an assault on the rsETH system of KelpDAO value the group about $290 million. LayerZero signifies that there was no exploit of sensible contract bugs or key leakage.
https://t.co/3vIHs3Xgs4
— LayerZero (@LayerZero_Core) April 20, 2026
Somewhat, attackers focused infrastructure, specifically RPC nodes of the verifier system of LayerZero.
They hacked into choose RPC endpoints and overwrote their binaries with malicious functions. These nodes handed on incorrect transaction data to the verifier, however they nonetheless reported common data elsewhere, therefore masking up this assault in actual time.
Attackers put down an RPC node in wholesome situation utilizing DDoS assault to perform the operation. This manoeuvre compelled the system to modify to the compromised nodes, dropping the validity of actual cross-chain messages and accepting the faux ones.
Learn Extra: $7.6M DeFi Exploit Rocks Rhea Finance as Hackers Manipulate Swimming pools in Hours
Single DVN Setup Created the Weak Level
The server downside was rooted in KelpDAO’s determination on how the server needs to be configured.
Why the Setup Failed
The system is dependent upon a single verification (1-of-1 DVN) and not using a backup layer or impartial verification. As a result of lack of redundancy and no scheme to establish or verify faux information, manipulated data remains to be acceptable as official.
LayerZero emphasised that it has persistently beneficial a multi-DVN mannequin. Beneath that setup, a number of impartial verifiers should agree earlier than a transaction is accepted.
Superior Techniques Linked to Lazarus
The assault reveals a brand new stage of sophistication. LayerZero attributes it to a state-backed group, doubtless North Korea’s Lazarus (TraderTraitor unit). Methods used embody:
RPC information poisoning with selective responsesCoordinated DDoS to set off failoverSelf-destructing malware to erase proof
Such methods enabled the attackers to evade surveillance mechanisms and as a substitute carry out unfazed throughout the interval of exploitation.
Rapid Actions Taken
Necessities at the moment are being tight within the LayerZero ecosystem:
It can not help single-DVN configurationsTasks are being inspired to modify to multi-DVN designsRegulation enforcement businesses are concerned within the investigationOngoing monitoring actions to reclaim stolen quantities
A change in assault patterns was evident within the incident. Somewhat than cracking code, attackers are going after infrastructure and poorly configured areas, which regardless of typically being uncared for, are equally of excessive precedence.
Learn Extra: Resolv Burns 46M USR After $80M Exploit, Wipes Out Illicit Provide in Main Restoration Push
