LayerZero has placed responsibility for the $290 million Kelp DAO exploit on Kelp’s own security configuration, saying the floating restaking protocol ran a single-verifier setup that LayerZero had previously warned against.
The attack used a new vector targeting the infrastructure layer instead of any protocol code.
Attackers, which LayerZero tentatively attributed to North Korea’s Lazarus Group and its TraderTraitor subunit, compromised two of the remote procedure call (RPC) nodes that LayerZero’s verifier relied on to confirm cross-chain transactions.
RPC nodes are the servers that let software read and write data on a blockchain, and LayerZero’s verifier used a mix of internal and external for redundancy.
The attackers swapped the binary software running on two of those nodes with malicious versions designed to tell LayerZero’s verifier that a fraudulent transaction had occurred, while continuing to report accurate data to all other systems querying the same nodes.
The selective lie was developed to keep the attack invisible to LayerZero’s own monitoring infrastructure, which requests the same RPCs from different IP addresses.
Compromising two nodes was not enough. LayerZero’s verifier also queried uncompromised remote RPC nodes, so the attackers ran a distributed denial-of-service attack on them to force failover to the poisoned ones.
Traffic logs shared by LayerZero show the DDoS running between 10:20 and 11:40 Pacific Time on Saturday. When the failover was triggered, the compromised nodes told the verifier that a valid cross-chain message had arrived, and Kelp’s bridge released 116,500 rsETH to the attackers. The malicious node software then self-destructed, deleting binaries and local logs.
The attack only worked because Kelp was running a 1-of-1 verifier configuration, meaning that LayerZero Labs was the only entity verifying messages to and from the rsETH bridge.
LayerZero’s public integration checklist and direct communication to Kelp had recommended a multi-verifier setup with redundancy, where consensus across multiple independent verifiers would be required to verify a message. Under that configuration, poisoning a verifier’s data feed would not have been enough to spoof a valid message.
“KelpDAO chose to use a 1/1 DVN configuration,” LayerZero wrote, using the protocol’s term for decentralized verifier networks. “A properly hardened configuration would have required consensus across multiple independent DVNs, rendering this attack ineffective even in the event that a single DVN was compromised.”
LayerZero said it has confirmed zero contagion to any other application on the protocol. Every OFT standard token and application running multi-verifier setups was unaffected.
The LayerZero Labs verifier is back online, and the company said it will no longer sign messages for any application running a 1-of-1 configuration, forcing a protocol-wide migration from single-verifier setups.
The architectural distinction has implications for how DeFi prices LayerZero risks going forward.
A protocol-level error would have implied that every OFT token on every chain was potentially at risk. However, a configuration error by a single integrator, combined with a targeted infrastructure attack, implies that the protocol worked as designed and that Kelp’s security choices, not LayerZero’s code, created the opening.
Kelp has yet to publicly respond to LayerZero’s framing or address why it ran a 1-of-1 verifier setup despite explicit recommendations against it.
The Lazarus Group has been linked to the Drift Protocol exploit on April 1 and now Kelp on April 18, meaning the same North Korean entity has drained more than $575 million from DeFi in 18 days through two structurally different attack vectors: social engineering governance signatories at Drift and infrastructure poisoning RPCs at Kelp.
The group is adapting its playbook faster than DeFi protocols are hardening their defenses.
