BlockBeats report: On May 20, LayerZero released a report on the rsETH attack. On April 18, the KelpDAO rsETH bridge, built on the LayerZero cross-chain messaging protocol, was compromised, resulting in the theft of approximately 116,500 rsETH (valued at around $292 million). Multiple security firms attribute this attack to the North Korean hacking group TraderTraitor (UNC4899). The attack did not affect the LayerZero protocol itself or other OApps, but targeted only KelpDAO’s single-validator configuration bridge.
The attack began on March 6, when the attacker used social engineering to obtain the session key of a LayerZero Labs developer, infiltrated their RPC cloud environment, and compromised internal RPC nodes. These nodes were implanted with memory patches that returned normal responses to monitoring tools while providing tampered blockchain state information to LayerZero Labs’ DVN (Decentralized Verifier Network). The attacker then launched a DoS attack against external RPC providers, forcing the DVN to rely exclusively on the compromised internal nodes, ultimately enabling the generation of valid proofs for forged cross-chain messages. Due to KelpDAO’s single-verifier configuration, the target contract accepted the single proof and unlocked rsETH.
Following the incident, LayerZero Labs implemented several measures:
Change operational stance to require that channels in which its DVN participates meet minimum security configurations (rejecting use as the sole validator signature);
Completely rebuild the affected infrastructure using a zero-trust architecture and just-in-time privilege escalation mechanisms;
Collaborate with ecosystem partners to continuously enhance security configurations. Simultaneously, work with law enforcement agencies and security firms to investigate, attribute, and track funds.