LayerZero Labs Incident Report: KelpDAO Bridge Attack
Approximately $292 million in rsETH was stolen following a sophisticated attack on KelpDAO’s bridge infrastructure. The LayerZero Labs incident report reveals that attackers compromised the RPC infrastructure used by the verification network and exploited a single-signer configuration that directly contradicted LayerZero’s own security recommendations.
Attack Details and Vulnerability
The KelpDAO exploit resulted in the theft of approximately 116,500 rsETH, valued at roughly $292 million. The vulnerability stemmed from KelpDAO’s reliance on a 1-of-1 DVN configuration with LayerZero Labs as the sole verifier—a design choice that LayerZero explicitly warned against.
LayerZero stated that the incident was limited to the rsETH setup because the application depended on this single-signer configuration, and the protocol’s modular security architecture contained the blast radius to this specific application-level failure.
According to LayerZero’s analysis, the April 18, 2026 attack targeted RPC infrastructure rather than the LayerZero protocol itself, key management systems, or DVN software. The attackers:
- Gained access to the list of RPCs used by the DVN
- Compromised two nodes operating in separate clusters
- Replaced binaries in op-geth nodes with malicious versions
- Deployed forged transaction data to the verifier while returning truthful data to other endpoints and internal monitoring services
- Launched DDoS attacks on uncompromised RPC endpoints to trigger failover to poisoned nodes
This allowed the LayerZero Labs DVN to confirm transactions that never actually occurred.
Attribution and Forensic Analysis
External forensic investigations corroborated LayerZero’s findings. Chainalysis linked the attack to North Korea’s Lazarus Group, specifically the TraderTraitor threat actor. Notably, the attackers did not exploit a smart contract vulnerability; instead, they forged cross-chain messages by poisoning internal RPC nodes and overwhelming external ones in the single-point-of-failure verification setup.
Nexus Mutual reported that the forged message drained $292 million from KelpDAO’s bridge in less than 46 minutes, making it one of the largest DeFi losses of 2026.
Immediate Response and Policy Changes
LayerZero’s immediate actions included:
- Deprecating and replacing all affected RPC nodes
- Restoring the LayerZero Labs DVN to operation
- Engaging law enforcement agencies
- Collaborating with industry partners and Seal911 to track stolen funds
More significantly, LayerZero implemented a critical policy shift. The DVN will “no longer sign or attest to messages from any applications using 1/1 configurations.” This represents a direct enforcement of security best practices that were previously only recommendations.
The company also reached out to projects still operating under 1/1 configurations, urging them to migrate to multi-DVN models with redundancy. This acknowledgment reflects that configuration flexibility without enforced safety guardrails proved too permissive in practice.
Key Lessons
The attack demonstrates a fundamental principle of cross-chain infrastructure: smart contracts can remain intact and protocols can still fail in practice if the off-chain trust layer is sufficiently weak.
LayerZero emphasizes that the true lesson from this $292 million bridge theft is not that modular security failed, but rather that permitting single-signer setups was the fundamental mistake. The incident underscores the critical importance of enforced redundancy and diversified verification mechanisms in cross-chain architecture.
