LayerZero: KelpDAO Attack Was Limited to rsETH Configuration, Broader Ecosystem Unaffected

LayerZero Labs said on April 20 that a breach at KelpDAO on April 18 led to roughly $290 million in losses, with early findings pointing to the Lazarus Group’s TraderTraitor unit linked to North Korea, according to BlockBeats. LayerZero said the attackers targeted the downstream RPC infrastructure used by KelpDAO’s decentralized verification network (DVN). By taking control of certain RPC nodes and pairing that with a DDoS campaign, they forced traffic onto malicious nodes and were able to fabricate cross-chain transactions. The compromised RPC nodes have been taken offline and replaced, and the DVN is back online. LayerZero stressed that the impact was confined to KelpDAO’s rsETH application configuration, with no effect on other assets or applications. LayerZero attributed the incident to KelpDAO operating a single-DVN “1/1” setup rather than the multiDVN redundancy model LayerZero recommends for long-term deployments. Without independent verification nodes, forged messages were not flagged. LayerZero said the core protocol had no vulnerabilities and that applications configured with multiple DVNs were not impacted, adding that it sees no systemic contagion risk. The company said it will accelerate migrations from 1/1 configurations to multiDVN architectures and has suspended signature and verification services for 1/1 setups. LayerZero also said it is working with global law enforcement and industry partners to support the investigation and trace the stolen funds, noting the incident highlights both the benefits of modular security and the risks tied to RPC-based verification paths.