Single-DVN setup enabled a $290M exploit as attackers manipulated RPC nodes and bypassed verification safeguards.
A serious safety incident drained roughly $290 million from KelpDAO’s rsETH, sending shockwaves throughout the crypto market. Findings level to a extremely coordinated operation, possible linked to Lazarus Group and its subgroup TraderTraitor. LayerZero has now detailed how the breach unfolded, revealing the precise assault path behind the exploit.
LayerZero Confirms No Protocol Breach in Exploit
Decentralized platform LayerZero has disclosed new particulars concerning the assault that led to the $290 million exploit of KelpDAO’s rsETH on April 18, 2026. Early findings level to a extremely coordinated operation linked to North Korea’s Lazarus Group, particularly its TraderTraitor unit.
Whereas the incident raised issues throughout the cross-chain sector, LayerZero burdened that injury remained contained. No different belongings or purposes on the protocol have been affected.
In response to LayerZero, attackers didn’t breach the protocol itself or its core infrastructure. As an alternative, they focused the downstream RPC programs utilized by the LayerZero Labs Decentralized Verifier Community (DVN).
https://t.co/3vIHs3Xgs4
— LayerZero (@LayerZero_Core) April 20, 2026
By compromising two impartial RPC nodes, the attackers changed key binaries and launched malicious habits designed to mislead verification processes.
Entry to the DVN’s RPC listing allowed attackers to execute a exact spoofing technique. Their modified nodes despatched cast transaction knowledge completely to the DVN whereas presenting correct knowledge to all different observers.
Subsequently, inner monitoring instruments detected no inconsistencies throughout the assault window. As soon as the malicious exercise ended, the altered nodes erased traces by deleting logs and disabling compromised programs.
Even with that entry, attackers nonetheless needed to get across the system’s backups. They launched a DDoS assault on the wholesome RPC nodes, knocking them offline. That compelled the DVN to modify to the compromised nodes. Because of this, it authorised transactions that by no means really occurred on-chain.
Legislation Enforcement Joins Probe Into $290M KelpDAO Exploit
LayerZero clarified that its DVN infrastructure follows a trust-minimized mannequin, combining inner and exterior RPC suppliers. Nonetheless, the rsETH utility operated by KelpDAO relied on a single DVN configuration. That setup created a single level of failure, permitting the cast message to cross with out impartial verification.
Trade steering from LayerZero has constantly suggested integrators to undertake multi-DVN configurations. Such setups require consensus throughout a number of impartial verifiers, lowering the chance of any single compromised part. On this case, the absence of redundancy meant no further DVN may problem the falsified knowledge.
Regardless of the dimensions of the exploit, the blockchain confirmed zero contagion throughout its ecosystem. A full assessment of integrations confirmed that each one different purposes remained unaffected. Modular safety design performed a key function in limiting the incident to KelpDAO’s rsETH deployment.
As well as, the report consists of LayerZero’s inner safety measures. Programs function underneath strict entry controls, device-level monitoring, and segmented environments.
Exterior safety distributors assist ongoing oversight, whereas the corporate nears completion of its SOC 2 audit. These controls prevented attackers from accessing the DVN itself, limiting the breach to RPC-level manipulation.
Following the incident, all affected RPC nodes have been changed, and the LayerZero Labs DVN is totally operational once more. The corporate has additionally taken a agency stance towards single-DVN configurations. Purposes utilizing such setups will now not obtain verification assist shifting ahead.
Legislation enforcement businesses throughout a number of jurisdictions at the moment are concerned within the investigation. LayerZero is working alongside companions and safety teams, together with Seal911, to hint and recuperate stolen funds.