An attacker exploited LayerZero Executor wallets throughout eight blockchains, draining roughly $2.4 million earlier than changing the stolen funds into ETH and USDC. PeckShieldAlert recognized the exercise, tracing the exploit throughout Ethereum, BNB Chain, Base, Arbitrum, Avalanche, Optimism, and Plasma. LayerZero has not but confirmed the incident.
What Occurred
The exploit hit Executor wallets throughout a number of networks without delay, and the attacker moved quick to transform the proceeds earlier than anybody might freeze them.

Supply – PeckShieldAlert
How the Assault Unfolded
PeckShield’s monitoring exhibits the attacker bridged the stolen belongings to Ethereum and swapped most of them into 956 ETH and roughly $322,000 in USDC. Consolidating funds into ETH and a stablecoin on a single chain is a standard transfer for attackers searching for to make stolen belongings simpler to launder or money out, because it reduces the variety of wallets and chains a stolen-funds tracker has to watch.
What Executor Wallets Really Do
Executor wallets are a part of LayerZero’s structure and are liable for delivering cross-chain messages. They decide up a message on one chain and drop it off on one other, making them a working piece of infrastructure fairly than a passive holding pockets. That operational function is strictly why they’re a goal: compromise the pockets that executes messages, and an attacker can doubtlessly manipulate what will get delivered, not simply steal what’s sitting in a stability.
A Acquainted Sample for LayerZero
This isn’t LayerZero’s first brush with a serious safety incident this 12 months. In April 2026, KelpDAO suffered a breach linked to LayerZero infrastructure during which attackers solid a cross-chain message by compromising a single-signer DVN function, draining about 116,500 rsETH, price near $292 million on the time. A DVN, or Decentralized Verifier Community, is the element that checks whether or not a cross-chain message is respectable earlier than it will get executed.
That assault was attributed to North Korea’s Lazarus Group, and it uncovered a wider drawback: safety researchers discovered that just about half of all LayerZero purposes have been nonetheless operating what’s referred to as a “1-of-1” DVN setup, the place a single compromised verifier is sufficient to forge a sound message.
What This Means for DeFi Builders and Customers
LayerZero’s design offers purposes management over their very own safety parameters fairly than imposing one customary configuration throughout the board. That flexibility is helpful for groups with totally different threat tolerances, nevertheless it additionally means the weakest-configured app on the community turns into the simplest goal.
Anybody utilizing or constructing on protocols related to LayerZero ought to examine whether or not the underlying messaging layer depends on a single verifier or a distributed setup, and you may examine our information on multi-party computation wallets earlier than trusting it with significant funds.
What to Watch Subsequent
The open query is whether or not LayerZero points an official affirmation of this exploit and whether or not it makes use of the second to push purposes nonetheless operating single-signer DVN configurations towards multi-signer verification, one thing the ecosystem has been calling for for the reason that KelpDAO breach.
What this implies for you: Earlier than trusting an app together with your funds, examine its documentation or audit stories for what number of verifiers approve its cross-chain transfers, as a result of a single-verifier setup means one compromised celebration is all it takes to empty the funds behind it.
