BlockBeats report: On April 20, LayerZero Labs issued a statement regarding the attack, revealing that on April 18, KelpDAO suffered a breach resulting in losses of approximately $290 million. The attack is preliminarily attributed to the Lazarus Group, specifically the subgroup TraderTraitor, with ties to North Korea. The attackers compromised the downstream RPC infrastructure upon which KelpDAO’s decentralized verification network (DVN) relies, taking control of certain RPC nodes and coordinating a DDoS attack to force the system to switch to malicious nodes, thereby forging cross-chain transactions. All affected RPC nodes have been taken offline and replaced, and the DVN has now resumed operations.
LayerZero emphasized that this incident was limited to KelpDAO’s rsETH application configuration and did not affect any other assets or applications. The cause was that KelpDAO was using a single DVN (1/1) architecture at the time, rather than the multi-DVN redundancy mechanism officially recommended for long-term use, resulting in a lack of independent verification nodes to detect forged messages. LayerZero noted that its protocol itself had no vulnerabilities, and applications configured with multiple DVNs were unaffected, with no systemic risk of contagion.
LayerZero stated that it will expedite the migration of all projects using a single DVN configuration to a multi-DVN architecture and has suspended signature and verification services for 1/1 configurations. The company is also collaborating with global law enforcement agencies to investigate the incident and assisting industry partners in tracking the stolen funds. LayerZero noted that this event underscores the value of a modular security architecture while also highlighting potential security risks associated with RPC verification pathways.