- Lazarus Group used RPC poisoning and DDoS attacks to forge transactions and drain $292 million.
- KelpDAO ignored LayerZero guidance and used weakest 1 of 1 DVN configuration available.
- Schwartz says bridge providers pitch strong security then discourage customers from using it.
The $292 million KelpDAO exploit now has a confirmed attacker, a detailed explanation of how it happened and a verdict on why it was allowed to happen at all.
LayerZero confirmed the attack was carried out by North Korea’s Lazarus Group, specifically the TraderTraitor unit. Ripple’s Emeritus CTO David Schwartz read the statement and did not mince words.
“The attack was way more sophisticated than I expected,” Schwartz wrote. “Aimed at LayerZero infrastructure, taking advantage of KelpDAO laziness.”
How the Attack Actually Worked
The Lazarus Group did not exploit a flaw in the LayerZero protocol. Instead they targeted the RPC infrastructure the LayerZero DVN used to verify transactions.
The attackers compromised two independent RPC nodes, replaced their binaries with malicious versions and engineered those nodes to show forged transaction data exclusively to the DVN while reporting accurate data to every other observer including LayerZero’s own monitoring systems.
Source: X
To complete the attack they simultaneously DDoS’d the uncompromised nodes, forcing a failover to the poisoned infrastructure. The malicious setup self-destructed after the drain, deleting all local logs and configurations automatically.
The entire operation ran between 10:20am and 11:40am PT. By the end, 116,500 rsETH worth $292 million was gone.
Related: Analyst Flags Weekend Shakeout, Says $72K Could Fuel Bitcoin Upside
The Choice That Made It Possible
LayerZero’s own guidelines explicitly recommend a multi-DVN configuration requiring consensus across multiple independent verifiers. KelpDAO chose a 1-of-1 setup with LayerZero Labs as the only verifier. One compromised DVN was all the attackers needed.
“LayerZero previously communicated best practices around DVN diversification to KelpDAO. Despite these recommendations, KelpDAO chose to utilize a 1/1 configuration.” the statement read. “
Schwartz had flagged this exact pattern during his bridge evaluation for RLUSD. Bridge providers pitch their strongest security features then quietly discourage customers from using them for convenience.
The Warning Nobody Wants to Hear
Schwartz added a concern that could rattle DeFi markets further. “I think an across-the-board haircut on rsETH is not unlikely,” he wrote.
Any loss imposed on WETH depositors would cascade across Morpho, Spark, Fluid and Euler simultaneously, potentially damaging the entire liquid restaking sector for years.
LayerZero has confirmed it will no longer sign messages from applications using a 1/1 DVN configuration. Law enforcement across multiple jurisdictions has been notified.
Related: Trump Signals Ceasefire Doubt, Markets Turn Volatile
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
