LayerZero Labs has published a report detailing the recent attack on the KelpDAO bridge. Approximately $292 million worth of rsETH was stolen when attackers compromised the systems LayerZero uses to verify transactions. This led to changes in how LayerZero handles configurations that require only one person’s approval.
Summary
- LayerZero said KelpDAO was exploited for about $290 million, or roughly 116,500 rsETH, in an attack isolated to rsETH’s single-DVN setup.
- The company said preliminary indicators point to North Korea-linked TraderTraitor and described the exploit as an infrastructure compromise rather than a protocol flaw.
- LayerZero said it will stop signing messages for applications using 1/1 DVN configurations and is pushing affected integrators toward multi-DVN redundancy.
As a crypto investor, I’ve been following the recent KelpDAO exploit closely. LayerZero Labs has released details, and it looks like around $292 million worth of rsETH – about 116,500 units – was stolen. Apparently, the attackers didn’t directly hack KelpDAO itself, but instead compromised systems connected to how KelpDAO verifies transactions across different blockchains. It’s a bit unsettling to see these attacks targeting the infrastructure *around* projects, rather than the core code itself.
The company explained that the problem was specific to KelpDAO’s rsETH system. This was because the application used a single verifier – LayerZero Labs – which LayerZero Labs themselves said went against their advice. They generally recommend applications use multiple verifiers for backup and reliability.
LayerZero stated that the recent issue didn’t affect any other cross-chain assets or applications. They explained that their system is designed with a security structure that limited the impact, even though a specific setting within one application caused the problem.
How the attack worked
LayerZero’s report indicates that the attack on April 18, 2026, focused on the systems that support LayerZero Labs’ DVN, rather than any weaknesses in the LayerZero protocol, its security keys, or the DVN software itself.
The company reported that attackers accessed a list of internal processes used by their Distributed Validation Network (DVN). They then compromised two systems on different networks, swapped out legitimate software on certain nodes, and used this access to send fake transaction information to the verification process. Importantly, the attackers made sure internal monitoring tools still received accurate data, hiding their activity.
To successfully carry out the attack, the hackers also flooded legitimate servers with traffic, forcing the system to rely on the compromised servers. This allowed LayerZero Labs’ network to falsely confirm transactions that never actually happened.
Investigations into the attack show it aligns with typical external hacking methods. Chainalysis determined the attackers, believed to be associated with the Lazarus Group (specifically, a hacker known as TraderTraitor), didn’t find a flaw in the code itself. Instead, they manipulated messages between different blockchains by disrupting the systems that process those messages – overloading some and poisoning others – because the security relied on a single point of verification.
Security changes
LayerZero quickly responded to the incident by shutting down and replacing the compromised servers, bringing its DVN back online, and notifying both law enforcement and industry partners. They are also collaborating with Seal911 to track the stolen funds.
Crucially, the company is updating its approach to handling potentially dangerous settings. LayerZero announced that its DVN won’t approve or verify messages from apps using a ‘1/1’ configuration. This change is specifically designed to prevent issues like the one that affected KelpDAO from happening again.
We’ve been contacting projects currently set up with single-instance configurations. We’re encouraging them to move to multi-DVN setups with built-in redundancy. Honestly, this acknowledges that allowing complete configuration freedom without sufficient safeguards proved to be a bit too risky in real-world use.
Investigators have become more certain about who was behind the attack. Chainalysis traced it to the Lazarus Group, a hacking organization linked to North Korea, and a specific individual they call TraderTraitor. Nexus Mutual reported that the fake message caused KelpDAO’s bridge to lose $292 million in less than 46 minutes, making it one of the largest financial losses in the DeFi space so far this year.
This incident offers a harsh but well-known lesson for systems that connect different blockchains: even if the underlying code is secure, the entire system can still be vulnerable if the off-chain components aren’t reliable. LayerZero is now arguing that the recent $292 million theft highlights a critical error: allowing a single person to control the system, rather than a failure of the modular security approach itself.
Read More
- Pi Hotel Vietnam: First to Accept Pi Coin Payments in Real-World Transactions
- Silver Rate Forecast
- USD TRY PREDICTION
- USD IDR PREDICTION
- The Quiet Rise of Ethereum: Is it Really Gone or Just Getting Started?
- Gold Rate Forecast
- Brent Oil Forecast
- Warsh’s Fed Debut: A June Rate Cut? Don’t Hold Your Breath, Darling
- 3 MASSIVE Token Unlocks That Could Blow Up the Market: HYPE, ENA, RED!
- Cryptocurrency’s Grand Illusion: Bitcoin’s $70k Waltz and the Phantom of Asian Tech Stocks
2026-05-20 16:35