LayerZero Releases Survey Report: Analysis of the Direct Cause and Process of KelpDAO Being Hacked

Source: LayerZero; Compilation: Golden Finance Claw

KelpDAO Attack Incident Statement

On April 18, 2026, KelpDAO was attacked, resulting in a loss of approximately $290 million. Preliminary indications suggest that this attack originated from a highly sophisticated state-sponsored hacking organization, most likely North Korea’s Lazarus Group (specifically the TraderTraitor branch). The incident was limited to KelpDAO’s rsETH configuration, and the direct cause was its use of a single DVN (Decentralized Validation Network) setup. Other cross-chain assets or applications are not at risk of contagion.

This highly complex attack targeted the downstream RPC (Remote Procedure Call) infrastructure used by LayerZero Labs DVN. Currently, all affected RPC nodes have been deprecated and replaced, and LayerZero Labs DVN is back online.

We share these details to help the community better understand and defend against this emerging state-supported attack vector.

Background: LayerZero’s Modular Security Architecture

The LayerZero protocol is built on a modular, application-configurable security foundation. Decentralized Validation Networks (DVNs) are independent entities responsible for verifying the integrity of cross-chain messages. Crucially, the protocol does not mandate a single security configuration. Instead, it authorizes each application and asset issuer to define their own security posture, including which DVNs they rely on, how they combine them, and what redundancy thresholds they set.

Industry best practices—and also the clear recommendation from LayerZero to all integrators—are to configure multiple DVNs with diversity and redundancy. This means no single DVN should serve as an exclusive trust or failure point.

Scope and Contagion: Limited to rsETH

We have conducted a comprehensive review of activities integrated into the LayerZero protocol. We can confidently confirm that there is no risk of contagion to any other assets or applications. The incident was entirely isolated to KelpDAO’s single DVN setup, specifically its rsETH configuration.

The affected application is rsETH issued by KelpDAO. At the time of the incident, its OApp configuration relied on a “1-of-1” DVN setup, with LayerZero Labs as the sole validator—directly violating the multi-DVN redundancy model that LayerZero consistently recommends to all partners. Running a single point of failure setup means there are no independent validators to detect and reject forged messages. LayerZero and other external entities had previously communicated best practices regarding DVN diversification to KelpDAO, but despite these recommendations, KelpDAO chose to use a 1/1 DVN configuration.

Had a reasonable reinforcement been adopted, the attack would have required consensus across multiple independent DVNs, and even if any single DVN was compromised, the attack would fail.

Incident Details

On April 18, 2026, LayerZero Labs’ DVN became the target of a highly sophisticated attack. The attacker compromised the downstream RPC infrastructure by tampering with or “poisoning” it, breaking the quorum RPCs that the DVN relies on to validate transactions. This was not achieved through protocol vulnerabilities, DVN flaws, or key management issues.

Instead, the attacker obtained the list of RPCs used by our DVN, compromised two independent nodes, and replaced the binary files running the op-geth nodes. Due to our “least privilege” principle, they could not breach the actual DVN instances. However, they used this as a springboard to execute RPC spoofing attacks:

• Malicious nodes send forged messages to the DVN using custom payloads.

• These nodes lie to the DVN but report truthful information to any other IP addresses (including our scanning services and internal monitoring infrastructure). This carefully designed approach prevents security monitoring from detecting anomalies.

• After completing the attack, the malicious nodes self-destruct, disable RPCs, and delete malicious binaries and related logs.

Additionally, the attacker launched DDoS attacks on unaffected RPCs, triggering system failover to poisoned RPC nodes. As a result, LayerZero Labs’ DVN instances confirmed transactions that never actually occurred.

LayerZero Labs’ Security Posture

We operate comprehensive Endpoint Detection and Response (EDR), strict access controls, fully isolated environments, and full system logging. Our DVN runs across both proprietary and external RPC nodes. We are currently in the final stages of a SOC2 audit.

Future Steps

1. DVN Recovery: LayerZero Labs’ DVN has been restored. Applications using multi-DVN setups can safely resume operations.

2. Mandatory Migration: We are contacting all applications using a 1/1 DVN configuration to migrate to a multi-DVN redundant setup. LayerZero Labs’ DVN will no longer sign or attest to messages from applications using a 1/1 setup.

3. Law Enforcement Collaboration: We are working with multiple law enforcement agencies worldwide and supporting industry partners and Seal911 in tracking funds.

Summary

We want to be clear: the LayerZero protocol itself operated exactly as expected throughout the incident. No protocol vulnerabilities were found. If this had been a single system or shared security system, the risk of contagion could have affected all applications. The defining feature of LayerZero’s architecture is its modular security, which played its role here—containing the attack entirely within a single application, with zero risk of system-wide contagion.

We remain committed to the security and integrity of the LayerZero ecosystem.