LayerZero has placed responsibility for the $290 million Kelp DAO exploit on Kelp’s own security setup, saying that the liquid recovery protocol was running a unique verification setup that LayerZero had previously warned against.
The attack used a novel vector targeting the infrastructure layer instead of any protocol code.
The attackers, whom LayerZero attributed with preliminary confidence to North Korea’s Lazarus Group and its subunit TraderTraitor, compromised two of the remote procedure call (RPC) nodes that LayerZero’s verifier relied on to confirm cross-chain transactions.
RPC nodes are the servers that allow software to read and write data to a blockchain, and LayerZero’s verifier used a combination of internal and external servers for redundancy.
The attackers swapped the binary software running on two of those nodes with malicious versions designed to inform the LayerZero verifier that a fraudulent transaction had occurred, while continuing to report accurate data to all other systems querying those same nodes.
That selective lie was designed to keep the attack invisible to LayerZero’s own monitoring infrastructure, which queries the same RPCs from different IP addresses.
Compromising two nodes was not enough. The LayerZero verifier also queried uncompromised external RPC nodes, so the attackers executed a distributed denial-of-service attack to force failover on the poisoned ones.
Traffic logs shared by LayerZero show that the DDoS was executed between 10:20 a.m. and 11:40 a.m. Pacific Time on Saturday. Once the failover was triggered, the compromised nodes told the verifier that a valid cross-chain message had arrived and the Kelp bridge released 116,500 rsETH to the attackers. The node malware then self-destructed, deleting local binaries and logs.
The attack only worked because Kelp ran a 1-of-1 verifier setup, meaning LayerZero Labs was the only entity verifying messages to and from the rsETH bridge.
LayerZero’s public integration checklist and direct communications with Kelp had recommended a multi-verifier setup with redundancy, where consensus between multiple independent verifiers would be required to confirm a message. Under that setup, poisoning a verifier’s data source would not have been enough to forge a valid message.
“KelpDAO chose to use a 1/1 DVN configuration,” LayerZero wrote, using the protocol’s term for decentralized verification networks. “A properly hardened configuration would have required consensus between multiple independent DVNs, making this attack ineffective even in the event that a single DVN was compromised.”
LayerZero said it has confirmed zero contagion to any other application of the protocol. All OFT standard tokens and applications running multi-verifier setups were not affected.
LayerZero Labs’ verifier is back online and the company said it will no longer sign messages for any application running a 1-of-1 configuration, forcing a migration of the entire protocol from single-verifier configurations.
The architectural distinction is important in determining how DeFi prices LayerZero risk in the future.
A bug at the protocol level would have meant that all OFT tokens on each chain were potentially at risk. However, a configuration failure by a single integrator, combined with a targeted attack on the infrastructure, means that the protocol worked as designed and that Kelp’s security options, not LayerZero’s code, created the opening.
Kelp has yet to publicly respond to the LayerZero framework or address why it operated a 1-of-1 verifier setup despite explicit recommendations against it.
Lazarus Group has been linked to the Drift Protocol exploit on April 1 and now to Kelp on April 18, meaning the same North Korean unit has drained over $575 million from DeFi in 18 days via two structurally different attack vectors: social engineering governance signers on Drift and infrastructure RPC poisoning on Kelp.
The group is adapting its playbook faster than DeFi protocols harden their defenses.
