Interesting post-mortem here, but it leaves me with more questions because it comes across as so defensive. Anyway, let's get to the basic first. Based on LZ, on April 18, DPRK's Lazarus Group (TraderTraitor unit) stole $290M from KelpDAO's rsETH bridge. The attack, step by step: ❶ Attacker found the list of RPC nodes (the "eyes") that LayerZero's verifier trusts for truth ❷ Hacked 2 of them. Rigged the malicious software to lie only to the verifier, and tell the truth to everyone else so monitoring systems saw nothing wrong ❸ DDoS'd the honest RPCs offline. Verifier failed over to the poisoned ones ❹ Verifier got fed a fake transaction as real. Signed off. Bridge released $290M worth of rsETH that wasn't backed by anything ❺ Malware self-destructed. Binary deleted, logs wiped, configs gone LZ stated that Kelp used a single verifier (1-of-1 DVN setup) against LayerZero's repeated warnings. One verifier, one point of failure and confirms the damage is isolated. Zero contagion to any other asset so far. But I still have a lot of questions, cmiiw: - If 1/1 DVN was malpractice, why was it allowed to ship? - The compromised infrastructure belongs to LayerZero Labs, not Kelp. - How did the attacker get the RPC list in the first place? - Swapping the binary on production nodes implies a root-level compromise. On RPC poisoning: either this config leaked (which suggests a prior, unreported LayerZero compromise), or the attacker inferred it via sophisticated traffic analysis. Replacing the running op-geth binary on a production RPC node requires one of the following: root access on the box, a compromised deploy pipeline, or insider access. Which was it? The statement doesn’t say. If it was the deploy pipeline, that’s a supply-chain incident. If it was credential compromise, the scope is broader than what they’re admitting. The statement routes around this question entirely.