$290M KelpDAO Hack SHOCK: LayerZero Points to Fatal DVN Flaw, Lazarus Suspected

Key Takeaways:

• KelpDAO was exploited to the tune of approximately $290M in a targeted attack involving a more advanced attacker, most likely a Lazarus Group.
• The attack took advantage of a single-DVN configuration, which poses a critical point of failure.
• LayerZero assures zero impact on other apps, and the incident is completely segregated.

The cross-chain security has been questioned by a large-scale DeFi exploit due to the KelpDAO becoming a victim of one of the highest exploits in 2026. LayerZero has published a breakdown that describes the core issue and refutes the allegations of a protocol-level weakness.

KelpDAO Exploit Breakdown

On April 18, an attack on the rsETH system of KelpDAO cost the organization about $290 million. LayerZero indicates that there was no exploit of smart contract bugs or key leakage.

Rather, attackers targeted infrastructure, namely RPC nodes of the verifier system of LayerZero.

They hacked into select RPC endpoints and overwrote their binaries with malicious applications. These nodes passed on incorrect transaction information to the verifier, but they still reported regular information elsewhere, hence covering up this attack in real time.

Attackers put down an RPC node in healthy condition using DDoS attack to accomplish the operation. This manoeuvre compelled the system to switch to the compromised nodes, losing the validity of real cross-chain messages and accepting the fake ones.

Read More: $7.6M DeFi Exploit Rocks Rhea Finance as Hackers Manipulate Pools in Hours

Single DVN Setup Created the Weak Point

The server problem was rooted in KelpDAO’s decision on how the server should be configured.

Why the Setup Failed

The system depends on a single verification (1-of-1 DVN) without a backup layer or independent verification. Due to the lack of redundancy and no scheme to identify or check fake data, manipulated information is still acceptable as legitimate.

LayerZero emphasized that it has consistently recommended a multi-DVN model. Under that setup, multiple independent verifiers must agree before a transaction is accepted.

Advanced Tactics Linked to Lazarus

The attack shows a new level of sophistication. LayerZero attributes it to a state-backed group, likely North Korea’s Lazarus (TraderTraitor unit). Techniques used include:

• RPC data poisoning with selective responses
• Coordinated DDoS to trigger failover
• Self-destructing malware to erase evidence

Such techniques enabled the attackers to evade surveillance mechanisms and instead perform unfazed during the period of exploitation.

Immediate Actions Taken

Requirements are now being tight in the LayerZero ecosystem:

• It will no longer support single-DVN configurations
• Projects are being encouraged to switch to multi-DVN designs
• Law enforcement agencies are involved in the investigation
• Ongoing monitoring activities to reclaim stolen amounts

A change in attack patterns was evident in the incident. Rather than cracking code, attackers are going after infrastructure and poorly configured areas, which despite often being neglected, are equally of high priority.

Read More: Resolv Burns 46M USR After $80M Exploit, Wipes Out Illicit Supply in Major Recovery Push