LayerZero placed blame for the $290 million Kelp DAO exploit on Kelp’s own security setup, saying the Liquid Restoration Protocol was running a single-verifier setup that LayerZero had previously warned against.
The attack used a new vector targeting the infrastructure layer rather than any protocol code.
The attackers, which LayerZero attributed with preliminary confidence to North Korea’s Lazarus Group and its TraderTraitor subunit, compromised two of the remote procedure call (RPC) nodes that LayerZero’s verifier relied on to confirm cross-chain transactions.
RPC nodes are the servers that allow software to read and write data to a blockchain, and LayerZero’s verifier used a mix of internal and external servers for redundancy.
The attackers replaced the binary software running on two of these nodes with malicious versions designed to tell LayerZero’s verifier that a fraudulent transaction had taken place, while continuing to transmit accurate data to all other systems querying those same nodes.
This selective lie was designed to keep the attack invisible to LayerZero’s own monitoring infrastructure, which queries the same RPCs from different IP addresses.
Compromising two nodes was not enough. LayerZero’s checker also queried uncompromised external RPC nodes, so the attackers launched a distributed denial of service attack on those to force failover to the poisoned ones.
Traffic logs shared by LayerZero show DDoS executed between 10:20 a.m. and 11:40 a.m. Pacific Time on Saturday. Once the failover was triggered, the compromised nodes indicated to the verifier that a valid cross-chain message had arrived, and the Kelp bridge released 116,500 rsETH to the attackers. The malicious node software then self-destructed, erasing local binaries and logs.
The attack only worked because Kelp was running a 1-of-1 verifier setup, meaning LayerZero Labs was the only entity verifying messages to and from the rsETH bridge.
LayerZero’s public onboarding checklist and direct communications with Kelp had recommended a multi-verifier setup with redundancy, where consensus between multiple independent verifiers would be required to confirm a message. In this configuration, poisoning a verifier’s data stream would not have been enough to forge a valid message.
“KelpDAO has chosen to use a 1/1 DVN configuration,” LayerZero wrote, using the protocol’s term for decentralized verification networks. “A properly hardened configuration would have required consensus across multiple independent DVNs, making this attack ineffective even in the event that a single DVN was compromised.”
LayerZero said it has confirmed no contagion to any other application of the protocol. All standard OFT tokens and applications running multi-verifier configurations have not been affected.
The LayerZero Labs verifier is back online and the company said it will no longer sign messages for applications running a 1-of-1 configuration, forcing a protocol-wide migration away from single-verifier configurations.
The architectural distinction is important for how DeFi assesses the risk of LayerZero going forward.
A bug in the protocol would have meant that every OFT token on every chain was potentially at risk. However, a configuration failure by a single integrator, combined with a targeted attack on the infrastructure, implies that the protocol worked as intended and that Kelp’s security choices, not LayerZero’s code, created the opening.
Kelp has yet to publicly respond to LayerZero’s framing or explain why it was using a 1-of-1 checker configuration despite explicit recommendations against it.
The Lazarus Group was linked to the Drift Protocol exploit on April 1 and now to Kelp on April 18, meaning the same North Korean unit drained over $575 million from DeFi in 18 days through two structurally different attack vectors: social engineering governance signatories at Drift and infrastructure RPC poisoning at Kelp.
The group is adapting its playbook faster than DeFi protocols are strengthening their defenses.
