LayerZero Labs has now publicly resolved the $290 million KelpDAO exploit firmly pinning on a decisive configuration decision made by KelpDAO rather than an underlying issue with its protocol.
This position is a key phase of the current investigation, changing culpability from low level infrastructure vendor to application layer implementation. LayerZero states that the exploit happened due to KelpDAO implementing one 1, of, 1 Decentralized Verifier Network (DVN) architecture.
LayerZero claims it had warned against this configuration before, which created a single point of failure that attackers made use of with surgical precision. KelpDAO created a structural security bug, which weakened the traditional tradeoff on decentralized systems for blockchain, based protocols, by utilizing a single verification route instead of an utter distributed validator system. LayerZero emphasized that its protocol is actually designed to tolerate multi, verifier setups, which greatly minimizes any risk of these failures. This important distinction is an essential one, as it separates protocol level security from choices made by projects connecting to the LayerZero infrastructure itself.
Cross-Chain Activity Made Possible Through RPC Poisoning Attack
Instead of targeting the smart contracts or cryptographic vulnerability, the attackers used a more clever attack on the infrastructure layer. It has been characterized as an RPC poisoning attack, contaminating information sent within blockchain nodes.
In particular, they hijacked the Remote Procedure Call (RPC) nodes that are critical for KelpDAO’s verifier system. Attacking those nodes started relaying cross, chain transaction data, and once the attackers gained control over them, they were able to corrupt the replication during verification.
They ramped up the attack to a coordinated DDoS campaign that had the victim’s system switch over to nefarious RPC endpoints.
After failover, the corrupted nodes inserted fake data in the verification process. And so the DVN confirmed fake transactions that never occurred on, chain that allowed the hackers to write cross, chain messages and create rsETH tokens with no legitimate backing.
It effectively siphoned hundreds of millions of dollars out of a system without tripping standard security alarms. LayerZero said no smart contracts were exploited, and that private keys weren’t compromised; it reiterated the vulnerability was rooted only in the ancillary infrastructure.
Highly Coordinated Attack Blamed on Lazarus Group, LayerZero Notes
LayerZero’s evaluation indicates the possible participation by a subgroup of Lazarus Group, a cybercrime organization for which many tie to North Korea. Attribution is threadbare, but the tradecraft employed fits neatly with the group’s previous methods. The Lazarus Group, targets crypto platforms with more sophisticated infrastructure, based techniques than direct contract exploits.
This combined use of RPC poisoning and DDoS tactics is indicative of both considerable coordination and technical sophistication.
Such an association is unproven but should be verified, as it would rank the KelpDAO exploit alongside a rising number of high, profile attacks attributed to state, sponsored groups. It also highlights the growing geopolitical aspect of crypto security, that now are perilously entangled with national interests and cyber warfare.
This kind of involvement increased the risk profile for the entire DeFi ecosystem, meaning attackers are more well, resourced and able to undertake complex multi, layered operations.
Effects Limited To RsETH And No Further Contagion
However, based on the obnoxious size of the exploit itself LayerZero added that its consequences only extended to KelpDAO’s rsETH asset and by no means affected any other applications or assets deployed via its protocols. This containment is referenced as proof of the intrinsic robustness in LayerZero’s protocol design.
This effectively contained damage to one asset, preventing the incident from being the catalyst to a wider systemic failure of the LayerZero ecosystem. When it came to other projects using the protocol, cross, asset contamination was reportedly not seen. This is especially important for the DeFi sector, where interdependent protocols can magnify the consequences of a single failure.
The relative lack of contagion implies that once introduced, catastrophic design errors tend to remain project specific and do not put the integrity of the server at large at risk. However, the episode brings into question how project level decisions can cascade risks broader than their immediate effect, and especially when that involves interfacing with shared infrastructure.
Critical Design Flaw Exposed by the Single Verifier Model
The exploit is really just a design, level flaw. With a 1, of, 1 DVN, only one verification pathway needed to get hacked for fraudulent transactions to be validated. By contrast, multi, verifier systems need consensus from more than a single independent validators making those attacks orders of magnitude more difficult. LayerZero, in turn, reiterated that its architecture “can safely be configured in more strong configurations” and “leverage more sophisticated multi, layer verification mechanisms.”
Running on a single verifier can seem simpler and more effective but shares major security penalties.
Today, such trade, off has gone to the very center of industry discussions. In this space where many DeFi protocols are striving for a balance between performance and decentralization, the KelpDAO incident can be seen today as a truth well known, there is no cheap way to design security. The case also highlights the issue of failing to follow best practices and warnings, especially for high, value assets management or cross, chain operations.
LayerZero Recovery Work And Industry Lessons For The Future
After the exploit, replaced the exploited RPC nodes and LayerZero Labs confirmed that their own DVN infrastructure is still fully alive. In these steps, they are not only trying to bring the system and data back online but also prevent any further breach of security.
But the effects of the incident stretch far beyond bouncing back. This underscores the necessity of stricter security measures, especially regarding node infrastructure, failover protocols and verification.
And for developers, the lesson is inarguable: security is not limited to the smart contract layer. Design and maintain anything in between from RPC endpoints for live monitoring performance to validator configuration.
The KelpDAO exploit marks an important turning point in the development of DeFi security, at almost any level within the industry. As adversaries grow more sophisticated, so too must defenses: implementing mitigations on both a technical level but also from an operational perspective.
In the end, this goes back to an immutable law of decentralized systems: your resiliency is that of the weakest link. In this scenario, that link was not the protocol but its implementation.
Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.
Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news!
Source: https://nulltx.com/layerzero-blames-kelpdao-for-290-million-hack-citing-possible-links-with-dprks-lazarus-group/
