The KelpDAO attack was possible because the DeFi platform used only 1-verifier setup instead of multiple. Hackers used fake data and DDoS to trick the system. LayerZero issued a statement and confirmed that the issue was isolated and no other apps or assets have been affected. LayerZero has issued a detailed statement today, April 20, 2026, regarding the massive $290 million exploit which targeted KelpDAO’s rsETH assets on April 18, 2026. This attack, attributed to North Korea’s notorious Lazarus Group, specifically the TraderTraitor subgroup, exposed vulnerabilities in single verifier setups. https://t.co/3vIHs3Xgs4 — LayerZero (@LayerZero_Core) April 20, 2026 Crucially, LayerZero in the statement stressed on the fact that its protocol worked perfectly, containing the damage to just one asset all because of its modular security design. Ripple CTO David Schwartz called it “way more sophisticated than I expected,” blaming KelpDAO’s laziness in security configuration. The attack was way more sophisticated than I expected and aimed at LayerZero infrastructure taking advantage of KelpDAO laziness. https://t.co/eunWHvBPl6 — David ‘JoelKatz’ Schwartz (@JoelKatz) April 20, 2026 Attack Isolated to KelpDAO’s Risky Setup The breach hit KelpDAO’s rsETH, a restaked ETH token bridged via LayerZero’s protocol. KelpDAO had configured its OApp, a LayerZero tool for cross-chain apps, with a “1-of-1” Decentralized Verifier Network (DVN) setup. This meant that it relied solely on LayerZero Labs’ DVN as the single point of trust, ignoring repeated warnings for multi-DVN redundancy. DVNs are like independent referees checking cross chain messages to prevent fakes. LayerZero’s architecture lets apps pick multiple DVNs for consensus, think of it as needing two or three witnesses to confirm a transaction, not just one. KelpDAO’s solo DVN choice created a single point of failure. LayerZero confirmed no other assets or apps were affected, and called it a zero contagion after a full review. How the hack Unfolded: RPC Poisoning an DDoS The assault was a masterclass in stealth. Suspected Lazarus hackers did not crack the protocol or steal keys. Instead, they poisoned LayerZero Labs’ downstream RPC (Remote Procedure Call) infrastructure, the nodes that fetch blockchain data. Attackers first got the list of RPC nodes LayerZero’s DVN used. They hacked two independent op-geth nodes (Ethereum clients) on separate clusters, swapping binaries with malicious versions. These nodes lied only to the DVN, telling the truth to outsiders like LayerZero’s scanning tools to dodge detection. Later on, LayerZero’s DVN uses redundant internal and external RPCs for trust minimization. To bypass healthy ones, hackers launched DDoS attacks, forcing failover to the poisoned nodes. Then the bad RPCs fed a custom payload forging a fake cross-chain message. The DVN, seeing only tainted data, verified non-existent rsETH transactions, draining $290 million. The malware self-destructed post-attack, wiping logs and disabling nodes. LayerZero shared traffic graphs which showed DDoS spikes, indicating RPC verification’s limits, a risk for all offchain services like bridges. LayerZero’s Robust Defenses Held Firm LayerZero in the statement stressed that they have a strong security in place. This include constant monitoring of devices, giving employees only the access they actually need, and keeping systems separate so one issue does not affect everything. They also have a team watching things 24/7 and work with outside security experts. They are also close to getting a major security certification (SOC 2). They explained that their system uses a mix of their own servers and third-party ones, which helped limit how much damage the attack could cause. Importantly, there was no flaw in the main protocol itself, the design helped contain the problem. LayerZero also confirmed that all the affected servers have been removed and replaced, and the system is now fully up and running again. Path Forward: Multi-DVN Mandate and Global Hunt LayerZero urges all single-DVN apps to upgrade, refusing to verify 1/1 setups. They are contacting partners, aiding Seal911 in fund tracking, and cooperating with law enforcement worldwide. This incident spotlights state-sponsored threats evolving beyond code exploits to infrastructure sabotage. For users, it reinforces, diversifying verifiers like you would spread risk in a portfolio. LayerZero’s checklist demands multi-DVN for integrations, KelpDAO ignored it at all their peril. The crypto world watches as investigators now chase the Lazarus funds. Even though there was no systemic risk, this incident does act as a wake up call for lazy configs in DeFi’s high stake games. Also Read: Pi Network Price Dips as Testnet Rolls Out First Smart Contract
