Key Takeaways
LayerZero Labs has detailed the April 18 exploit that drained approximately $292 million from KelpDAO’s rsETH bridge, attributing the loss to compromised RPC infrastructure and a single-point-of-failure security setup.
"The incident was limited to KelpDAO’s rsETH setup because the application relied on a 1-of-1 DVN configuration with LayerZero Labs as the sole verifier," LayerZero said in its post-mortem report, noting this contradicted its standing security recommendations.
The attackers stole roughly 116,500 rsETH by poisoning two RPC nodes to feed forged transaction data to the verifier. They simultaneously launched a DDoS attack on other nodes, forcing a failover to the compromised infrastructure and allowing the confirmation of fraudulent withdrawals that had never occurred on the source chain.
The exploit, one of the largest in 2026, has forced LayerZero to end support for single-verifier configurations, pushing all integrated projects toward multi-signature models to prevent similar infrastructure-level attacks from creating protocol-level losses. Forensic analysis from firms including Chainalysis has linked the attack to the North Korea-affiliated Lazarus Group, specifically the TraderTraitor subgroup.
In its report, LayerZero stressed that the attack was an infrastructure compromise rather than a flaw in its core protocol, smart contracts, or DVN software. The attackers gained access to the list of RPCs used by the LayerZero Labs DVN, compromised two nodes, and replaced binaries with malicious code. This allowed them to pass forged messages to the verifier while returning normal data to monitoring services, effectively cloaking the attack as it happened.
The company’s immediate response included deprecating all affected RPC nodes and contacting law enforcement. More significantly, LayerZero has enacted a major policy shift, stating its DVN “will not sign or attest messages from any applications that utilize a 1/1 configuration.” The firm is now actively migrating projects away from these single-point-of-failure setups toward redundant, multi-verifier models.
This incident is part of a larger trend of exploits targeting the off-chain and centralized components of DeFi protocols. A similar attack occurred on May 19, when Echo Protocol lost approximately $816,000 after a compromised admin key allowed an attacker to mint unauthorized eBTC on its Monad deployment. Misha Putiatin, co-founder of security firm Statemind, noted that as DeFi becomes more dependent on off-chain infrastructure, the industry is seeing a rise in "Web2.5 style attacks" targeting key management and operational infrastructure.
The KelpDAO hack stands as one of the year's most significant, surpassing the $285 million exploit of Drift Protocol in April. It serves as a stark reminder that even with secure smart contracts, a protocol's security is only as strong as its weakest off-chain link. LayerZero's move to enforce stricter security standards on its users is an admission that permissive configuration options can create systemic risk.
This article is for informational purposes only and does not constitute investment advice.
