- Lazarus Group exploits LayerZero integration to steal $290 million from Kelp DAO
- The attackers compromised servers verifying cross-chain transactions and provided false data to approve fake transfers.
- LayerZero and Kelp DAO dispute blame
The infamous North Korean state-sponsored hacker group Lazarus has done it again. He successfully made off with $290 million in cryptocurrency, after apparently exploiting a decentralized autonomous organization called Kelp DAO through a solution called LayerZero.
Kelp DAO is an organization that has no central management or CEO. All decisions are made collectively by members who hold governance tokens and vote on proposals. It was designed to allow users to earn returns on investments in idle cryptocurrencies.
LayerZero Labs, on the other hand, builds infrastructure that allows different blockchains to communicate with each other. It is a vital part of the Web3 ecosystem, as different currencies operate on isolated networks. The DAO used LayerZero as a “messaging layer” between different blockchains.
Article continues below.
shifting the blame
Lazarus Group apparently tricked the system by taking control of some of the servers used to verify transactions between blockchains. They then made the fake transactions look real by feeding fake data into the system and forcing it to trust the compromised servers, allowing them to steal the funds.
After the incident, LayerZero turned to X to explain what happened. In a detailed report that you can read here, it essentially said that attackers exploited the Kelp DAO setup.
“We have conducted a thorough review of the active integrations in the LayerZero protocol. We can confidently confirm that there is no contagion to any other assets or applications,” LayerZero said. “This incident was completely isolated to KelpDAO’s rsETH configuration as a direct consequence of its single DVN configuration.”
Kelp DAO, on the other hand, disagreed with the characterization that the incident was solely a result of its setup.
While the two organizations apportion blame, Lazarus celebrates another successful heist. For years, the organization has exploited vulnerable Web3 projects, bridges, and DAOs to steal funds and finance North Korea’s state apparatus and weapons programs.
Through TechCrunch
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
