LayerZero Releases Survey Report: Analysis of the Direct Cause and Process of KelpDAO Being Hacked

Source: LayerZero; Translation: Golden Finance Claw

KelpDAO Attack Incident Statement

April 18, 2026, KelpDAO suffered an attack, with losses of approximately $290 million. Preliminary evidence indicates that this attack originated from a highly sophisticated state-level hacker organization, most likely North Korea’s Lazarus Group (specifically the TraderTraitor branch). This incident was limited solely to KelpDAO’s rsETH configuration, and its direct cause was that it used a single DVN (Decentralized Validation Network) setup. There is no risk of contagion to any other cross-chain assets or applications.

This highly sophisticated attack targeted the downstream RPC (Remote Procedure Call) infrastructure that LayerZero Labs’ DVN uses. At present, all affected RPC nodes have been deprecated and replaced, and LayerZero Labs’ DVN is now back online.

We share these details to help the community better understand and defend against this emerging state-sponsored attack vector.

Background: LayerZero’s Modular Security Architecture

The LayerZero protocol is built on a modular, application-configurable security foundation. Decentralized Validation Networks (DVNs) are independent entities responsible for verifying the integrity of cross-chain messages. A crucial point is that the protocol does not mandate a single security configuration. Instead, it authorizes each application and asset issuer to define its own security posture, including which DVNs they rely on, how they combine them, and what redundancy thresholds they set.

Industry best practices—also the approach that LayerZero explicitly recommends to all integrators—are to configure multiple DVNs with diversity and redundancy. This means that any single DVN should not represent a unilateral trust point or a single point of failure.

Scope and Contagion: Limited to rsETH

We conducted a comprehensive review of the active integrations on the LayerZero protocol. We can confirm with confidence that there is no risk of contagion to any other assets or applications. The incident was entirely isolated to KelpDAO’s single DVN setup, specifically its rsETH configuration.

The affected application is rsETH issued by KelpDAO. At the time of the incident, its OApp configuration relied on a “1-of-1” DVN setup, using LayerZero Labs as the sole validator—directly violating LayerZero’s multi-DVN redundancy model that it consistently recommends to all partners. Running a single point of failure configuration means there are no independent validators to detect and reject forged messages. LayerZero and other external entities previously communicated best practices regarding DVN diversification to KelpDAO; despite these recommendations, KelpDAO still chose to use a 1/1 DVN configuration.

If a reasonable hardening configuration had been adopted, the attack would have required reaching consensus across multiple independent DVNs, and even if any single DVN were compromised, the attack would have failed.

Event Details

On April 18, 2026, LayerZero Labs’ DVN became the target of a highly sophisticated attack. The attacker compromised the downstream RPC infrastructure by tampering with it or “poisoning” it, breaking the Quorum of RPCs that the DVN relies on to validate transactions. This was not achieved through protocol vulnerabilities, through the DVN itself, or through key management vulnerabilities.

Instead, the attacker obtained the list of RPCs used by our DVN, compromised two independent nodes, and replaced the binary files running the op-geth nodes. Due to our “least privilege” principle, they were unable to compromise the actual DVN instances. However, they used this as a stepping stone to carry out RPC spoofing attacks:

• Malicious nodes use custom payloads to forge messages to the DVN.

• The node lies to the DVN but reports truthful information to any other IP addresses (including our scanning services and internal monitoring infrastructure). This carefully designed approach is intended to prevent security monitoring from detecting anomalies.

• After the attack is completed, the malicious node self-destructs, disables the RPC, and deletes the malicious binaries and related logs.

In addition, the attacker launched DDoS attacks on the RPCs that were not compromised, triggering system failover to the poisoned RPC nodes. As a result, LayerZero Labs’ DVN instances confirmed transactions that never actually occurred.

LayerZero Labs’ Security Posture

We operate comprehensive Endpoint Detection and Response (EDR), strict access controls, fully isolated environments, and full-system logging. Our DVN runs across both proprietary and external RPC nodes. We are currently in the final stages of a SOC2 audit.

The Road Ahead

1. DVN Recovery: LayerZero Labs’ DVN has been restored. Applications using multiple DVNs can safely resume operations.

2. Mandatory Migration: We are contacting all applications using a 1/1 DVN configuration and requiring them to migrate to multi-DVN redundancy setups. LayerZero Labs’ DVN will no longer sign or attest to messages for any application using a 1/1 configuration.

3. Law Enforcement Collaboration: We are working with multiple law enforcement agencies worldwide, and supporting industry partners and Seal911 to track funds.

Summary

We want to make one point clear: the LayerZero protocol itself operated entirely as expected throughout the incident. No protocol vulnerabilities were found. If this had been a single system or a shared security system, the risk of contagion could have spread to all applications. The defining characteristic of LayerZero’s architecture is modular security—which, in this case, played its intended role by isolating the attack entirely within a single application, with zero risk of system-wide contagion.

We will continue to stay committed to the security and integrity of the LayerZero ecosystem.