Single-DVN setup enabled a $290M exploit as attackers manipulated RPC nodes and bypassed verification safeguards.
A major security incident drained roughly $290 million from KelpDAO’s rsETH, sending shockwaves across the crypto market. Findings point to a highly coordinated operation, likely linked to Lazarus Group and its subgroup TraderTraitor. LayerZero has now detailed how the breach unfolded, revealing the exact attack path behind the exploit.
LayerZero Confirms No Protocol Breach in Exploit
Decentralized platform LayerZero has disclosed new details about the attack that led to the $290 million exploit of KelpDAO’s rsETH on April 18, 2026. Early findings point to a highly coordinated operation linked to North Korea’s Lazarus Group, specifically its TraderTraitor unit.
While the incident raised concerns across the cross-chain sector, LayerZero stressed that damage remained contained. No other assets or applications on the protocol were affected.
According to LayerZero, attackers did not breach the protocol itself or its core infrastructure. Instead, they targeted the downstream RPC systems used by the LayerZero Labs Decentralized Verifier Network (DVN).
— LayerZero (@LayerZero_Core) April 20, 2026
By compromising two independent RPC nodes, the attackers replaced key binaries and introduced malicious behavior designed to mislead verification processes.
Access to the DVN’s RPC list allowed attackers to execute a precise spoofing strategy. Their modified nodes sent forged transaction data exclusively to the DVN while presenting accurate data to all other observers.
Therefore, internal monitoring tools detected no inconsistencies during the attack window. Once the malicious activity ended, the altered nodes erased traces by deleting logs and disabling compromised systems.
Even with that access, attackers still had to get around the system’s backups. They launched a DDoS attack on the healthy RPC nodes, knocking them offline. That forced the DVN to switch to the compromised nodes. As a result, it approved transactions that never actually happened on-chain.
Law Enforcement Joins Probe Into $290M KelpDAO Exploit
LayerZero clarified that its DVN infrastructure follows a trust-minimized model, combining internal and external RPC providers. However, the rsETH application operated by KelpDAO relied on a single DVN configuration. That setup created a single point of failure, allowing the forged message to pass without independent verification.
Industry guidance from LayerZero has consistently advised integrators to adopt multi-DVN configurations. Such setups require consensus across several independent verifiers, reducing the risk of any single compromised component. In this case, the absence of redundancy meant no additional DVN could challenge the falsified data.
Despite the scale of the exploit, the blockchain confirmed zero contagion across its ecosystem. A full review of integrations showed that all other applications remained unaffected. Modular security design played a key role in limiting the incident to KelpDAO’s rsETH deployment.
In addition, the report includes LayerZero’s internal security measures. Systems operate under strict access controls, device-level monitoring, and segmented environments.
External security vendors support ongoing oversight, while the company nears completion of its SOC 2 audit. These controls prevented attackers from accessing the DVN itself, restricting the breach to RPC-level manipulation.
Following the incident, all affected RPC nodes have been replaced, and the LayerZero Labs DVN is fully operational again. The company has also taken a firm stance against single-DVN configurations. Applications using such setups will no longer receive verification support moving forward.
Law enforcement agencies across multiple jurisdictions are now involved in the investigation. LayerZero is working alongside partners and security groups, including Seal911, to trace and recover stolen funds.
