LayerZero: KelpDAO Exploit Confined to rsETH Configuration, Core Protocol Unaffected

LayerZero Labs said on X that KelpDAO was hit by an attack on April 18, causing losses estimated at about $290 million. Initial analysis attributes the incident to the Lazarus Group. According to LayerZero, the attackers poisoned the downstream RPC infrastructure used by KelpDAO's decentralized verification network (DVN). After compromising certain RPC nodes, they paired it with a coordinated DDoS campaign to push the system to fail over to attacker-controlled nodes, enabling fabricated cross-chain transactions. The affected RPC nodes have been taken offline and replaced, and DVN operations have resumed. LayerZero said the impact was limited to KelpDAO's rsETH application configuration and did not affect other assets or applications. LayerZero added that KelpDAO could not detect forged messages because it relied on a single-DVN setup without multiDVN redundancy. The LayerZero protocol itself was not vulnerable, and applications configured with multiple DVNs were not affected. LayerZero said it will push all single-DVN configurations to migrate to a multiDVN architecture, has suspended signature and verification services for 1/1 configurations, and is assisting law enforcement in tracking the stolen funds.