TLDR
- A sophisticated attack on April 18 drained $292 million worth of rsETH tokens from Kelp DAO’s LayerZero-based bridge infrastructure
- The stolen 116,500 rsETH tokens were leveraged as collateral on Aave v3, allowing attackers to extract wrapped Ether
- Kelp DAO alleges LayerZero gave approval for the single-verifier architecture that facilitated the breach
- LayerZero refutes these accusations, asserting Kelp independently modified its configuration from multi-DVN to 1-of-1 setup
- Kelp DAO has initiated migration of rsETH to Chainlink’s Cross-Chain Interoperability Protocol (CCIP) infrastructure
DeFi platform Kelp DAO suffered a catastrophic security breach on April 18, resulting in the theft of approximately $292 million when malicious actors exploited its LayerZero-integrated bridge to extract 116,500 rsETH tokens.
Following the initial theft, the perpetrators deployed the stolen tokens as collateral within Aave v3’s lending protocol, enabling them to secure loans in wrapped Ether. Before Kelp could freeze its smart contracts, two additional fraudulent transactions exceeding $100 million were successfully executed.
LayerZero attributed the attack to North Korea’s notorious Lazarus Group. According to reports, the threat actors obtained access to the roster of RPC nodes utilized by the LayerZero Labs DVN, successfully infiltrated two of them, and replaced the legitimate software with malicious code.
Subsequently, they orchestrated a distributed denial-of-service (DDoS) attack targeting the uncompromised nodes, effectively redirecting network traffic to their controlled infrastructure. The hijacked DVN then validated fraudulent transactions that never legitimately occurred on the blockchain.
The security incident has triggered an escalating public confrontation between Kelp DAO and LayerZero regarding accountability for the exploited vulnerability.
The DVN Configuration Dispute
In LayerZero’s April 19 incident analysis, the company attributed the exploit to Kelp’s bridge operating with a single decentralized verifier network (DVN) instead of multiple independent verification sources. LayerZero characterized this configuration as “directly contradicts” their security recommendations.
Kelp DAO issued a strong rebuttal on Tuesday. The protocol published a detailed statement asserting that LayerZero representatives examined its configuration throughout 2.5 years across eight separate integration consultations, never once identifying the single-verifier architecture as a potential security vulnerability.
Kelp provided screenshots of Telegram conversations purportedly demonstrating a LayerZero team member reviewing the configuration without raising concerns. CoinDesk has not been able to authenticate these screenshots independently.
Kelp additionally referenced Dune Analytics intelligence indicating that 47% of approximately 2,665 active LayerZero smart contracts employed the identical 1-of-1 DVN configuration during a 90-day period concluding around April 22. These contracts collectively represented over $4.5 billion in aggregate market capitalization.
A cybersecurity specialist named Sujith Somraaj, who previously conducted audits for LayerZero, claimed he had filed a bug bounty submission detailing the identical attack methodology prior to the actual breach. According to Somraaj, LayerZero dismissed his findings.
LayerZero Denies the Claims
LayerZero’s Chief Executive Officer Bryan Pellegrino responded on X, characterizing numerous assertions made by Kelp as “just completely untrue.”
Pellegrino maintained that Kelp initially deployed the recommended multi-DVN default configuration but subsequently executed a manual modification to a 1-of-1 arrangement. He indicated that comprehensive post-incident reports from independent security organizations would be released imminently.
In an official statement, a LayerZero representative emphasized that protocol defaults throughout nearly all integration pathways utilize multi-DVN configurations. The spokesperson clarified that when 1-of-1 appears in template code, it references a “DeadDVN” designed to block messages and compel developers to implement proper configurations before production deployment.
LayerZero further declared it would cease signing messages for any application operating with a 1-of-1 configuration, a policy immediately enforced following the exploit.
Kelp maintains its internal security team initially discovered and reported the vulnerability to LayerZero, contradicting any suggestion that LayerZero identified the issue first.
Kelp DAO is currently transitioning rsETH from LayerZero’s OFT standard to Chainlink’s Cross-Chain Token standard through its Cross-Chain Interoperability Protocol. On at minimum two integrated blockchain networks, Dinari and Skale, the LayerZero Labs DVN continues to function as the sole documented attestor, based on current technical documentation.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
