-
Cryptocurrencies
-
Exchanges
-
Media
All languages
Cryptocurrencies
Exchanges
Media
Share
Source: LayerZero; Compiled by: Golden Financial Claw
KelpDAO attack statement
On April 18, 2026, KelpDAO was attacked, resulting in a loss of approximately US$290 million. Initial indications are that this attack originated from a highly sophisticated state-level hacker group, most likely North Korea's Lazarus Group (specifically the TraderTraitor branch). The incident was limited to KelpDAO's rsETH configuration,the direct cause of which was its single DVN (Decentralized Validation Network) setup. There is no risk contagion to other cross-chain assets or applications.
This highly sophisticated attack targeted the poisoning of the downstream RPC (remote procedure call) infrastructure used by LayerZero Labs DVN. Currently, all affected RPC nodes have been deprecated and replaced, and the LayerZero Labs DVN is now back online.
We share these details to help the community better understand and protect against this emerging nation-state-sponsored attack vector.
The LayerZero protocol is built on a modular, application-configurable security foundation. Decentralized Verification Networks (DVNs) are independent entities responsible for verifying the integrity of cross-chain messages. Crucially, the protocol does not mandate a single security configuration. Instead, it empowers each application and asset issuer to define their own security posture, including which DVNs they rely on, how they are combined, and what redundancy thresholds are set.
An industry best practice—and something LayerZero explicitly recommends to all integrators—is to configure a multi-DVN setup with diversity and redundancy. This means that no single DVN should represent a unilateral point of trust or failure.
We conducted a comprehensive review of active integration on the LayerZero protocol. We can confirm with confidence that there is no risk contagion to any other assets or applications. This incident was entirely isolated to KelpDAO’s rsETH configuration due to its single-DVN setup.
The affected application is rsETH issued by KelpDAO. At the time of the incident, its OApp configuration relied on a "1 of 1" DVN setup, with only LayerZero Labs as the sole certifier - a configuration that directly violates the multi-DVN redundancy model that LayerZero always recommends to all partners. Running a single point of failure configuration means there is no independent validator to catch and reject forged messages. LayerZero and other external parties have previously communicated best practices regarding DVN diversification to KelpDAO, and despite these recommendations KelpDAO has chosen to use the 1/1 DVN configuration.
If properly hardened, the attack requires consensus across multiple independent DVNs, and will fail even if any single DVN is compromised.
On April 18, 2026, LayerZero Labs’ DVN was the target of a highly sophisticated attack. The attacker compromised the quorum RPC that DVN relies on to verify transactions by tampering with or "poisoning" the downstream RPC infrastructure. This is not achieved through protocol vulnerabilities, DVN itself, or key management vulnerabilities.
Instead, the attacker obtained the RPC list used by our DVN, compromised two of the independent nodes, and replaced the binaries running the op-geth node. Due to our "least privilege" principle, they were unable to compromise the actual DVN instance. However, they used this as a springboard to perform an RPC spoofing attack:
Malicious nodes use custom payloads to forge messages to DVN.
The node lies about the DVN but reports the truth about any other IP address, including our scanning service and internal monitoring infrastructure. This careful design is to prevent security monitoring from detecting anomalies.
After the attack is complete, the malicious node self-destructs, disables RPC and deletes the malicious binary and related logs.
In addition,the attacker also conducted a DDoS attack on the uncompromised RPC, triggering a system failover to the poisoned RPC node. As a result, DVN instances operated by LayerZero Labs confirmed transactions that never actually occurred.
We operate full endpoint detection and response (EDR), strict access controls, a fully isolated environment, and full system logging. Our DVN runs across self-operated and external RPC nodes. We are currently in the final stages of our SOC2 audit.
DVN Recovery: LayerZero Labs DVN is back up and running. Applications with multi-DVN setups can resume operations with confidence.
Forced Migration: We are contacting all applications using a 1/1 DVN configuration to migrate to a multi-DVN redundant setup. LayerZero Labs DVN will no longer sign or certify messages for any application using the 1/1 configuration.
Law Enforcement Cooperation: We are working with multiple law enforcement agencies around the world and supporting industry partners and Seal911 to track funds.
Let’s be clear: the LayerZero protocol itself worked exactly as expected throughout this incident. No protocol vulnerabilities were found. If this is a single system or a shared security system, risk contagion may spread to all applications. The single defining feature of the LayerZero architecture is modular security, and in this case it worked exactly as it should - allowing attacks to be completely isolated within a single application, with zero risk of contagion within the system.
We will continue to be committed to the security and integrity of the LayerZero ecosystem.