LayerZero has blamed the $290 million Kelp DAO breach on Kelp’s own security configuration, saying the Liquid recollateralization protocol ran a single validator setup that LayerZero had previously warned about.
The attack uses a novel vector that targets the infrastructure layer rather than any protocol code.
LayerZero initially believes that the attackers are North Korea’s Lazarus Group and its TraderTraitor subunit, who compromised two remote procedure call (RPC) nodes used by LayerZero validators to confirm cross-chain transactions.
RPC nodes are servers that allow software to read and write data on the blockchain, and LayerZero’s validators use a mix of internal and external nodes for redundancy.
The attackers replaced the binary software running on two of the nodes with a malicious version designed to tell LayerZero’s validators that a fraudulent transaction had occurred, while continuing to report accurate data to all other systems querying these same nodes.
The purpose of this selective lying was to make the attack invisible to LayerZero’s own monitoring infrastructure, which queries the same RPCs from different IP addresses.
Compromising two nodes is not enough. LayerZero’s validator also queries uncompromised external RPC nodes, so the attacker conducts a distributed denial-of-service attack on these nodes to force a failover to the poisoned node.
Traffic logs shared by LayerZero show the DDoS operating between 10:20 and 11:40 a.m. Pacific time on Saturday. Once the failover was triggered, the compromised node told the validators that a valid cross-chain message had arrived, and Kelp’s bridge released 116,500 rsETH to the attacker. The malicious node software then self-destructs, wiping binaries and local logs.
The attack works because Kelp runs a 1-of-1 validator configuration, meaning LayerZero Labs is the only entity validating messages entering and leaving the rsETH bridge.
LayerZero’s list of public integrations and direct communication with Kelp recommends a multi-validator setup with redundancy, where consensus from multiple independent validators is required to confirm a message. In this configuration, poisoning a validator’s data source is not sufficient to forge valid messages.
“KelpDAO has chosen to use a 1/1 DVN configuration,” LayerZero wrote, using the protocol’s decentralized validator network terminology. “A properly hardened configuration requires consensus among multiple independent DVNs, making this attack ineffective even if any single DVN is compromised.”
LayerZero said it has confirmed zero infections with any other applications on the protocol. Every OFT standard token and application running a multi-validator setup is unaffected.
The LayerZero Labs validator is back online, and the company says it will no longer sign messages for any application running a 1-of-1 configuration, forcing a protocol-wide migration of a single validator setup.
The architectural distinction is critical to how DeFi prices LayerZero’s future risks.
Protocol-level errors mean every OFT token on every chain is potentially at risk. However, configuration failures at a single integrator, combined with targeted infrastructure attacks, meant that the protocol worked as designed and it was Kelp’s security choices, not LayerZero’s code, that caused the vulnerability.
Kelp has yet to publicly respond to LayerZero’s framework, nor explain why it runs a 1-of-1 validator setup, despite clear recommendations against it.
Lazarus Group was linked to the Drift protocol vulnerability on April 1 and now to Kelp on April 18, meaning the same North Korean unit stole over $575 million from DeFi in 18 days via two structurally different attack vectors: Drift’s social engineering governance signers and Kelp’s infrastructure RPC poisoning.
The group is adapting its strategies faster than DeFi protocols can harden their defenses.
