Add TechGaged as your preferred source on Google

See more TechGaged stories across Google News and Discover.

Add

A $290 million exploit hit Kelp DAO after attackers manipulated LayerZero’s verification process, and early attribution points to North Korea’s Lazarus Group. The attack tricked a verifier into approving a fake cross-chain transaction that released roughly 116,500 rsETH. The fallout spread quickly across decentralized finance (DeFi).

Attack targeted infrastructure, not protocol

In an X post on April 20, LayerZero said the exploit didn’t come from a bug in its protocol but from how Kelp DAO configured its security. The rsETH bridge relied on a 1-of-1 Decentralized Verifier Network (DVN) setup, which means a single verifier had full authority to approve transactions. That created a critical weak point and enabled the subsequent bridge hack.

According to LayerZero, attackers compromised two RPC nodes used by its verifier and replaced their software with malicious versions. These nodes selectively fed false data to the verifier and continued to report normal data to monitoring systems, which effectively hid the attack. 

To complete the exploit, attackers launched a DDoS attack on healthy nodes, forcing the system to fall back on the poisoned ones. Once the failover occurred, the verifier confirmed a transaction that never actually happened. Funds were released, and the malicious software erased itself without a trace. 

LayerZero said this type of RPC poisoning represents a new class of attack vector that the industry needs to take seriously.

DeFi impact spreads as risks become clearer

In the aftermath of the attack, Aave (AAVE) froze rsETH markets, total DeFi value locked dropped roughly 7% to $86.3 billion, and around $10 billion flowed out of protocols as users reacted. Several projects paused LayerZero integrations as a precaution, even though the company said there was no contagion beyond Kelp DAO’s setup.

As it happens, LayerZero has long recommended multi-verifier configurations, where multiple independent DVNs must agree before a transaction is approved. In that model, compromising a single verifier wouldn’t be enough to execute an attack, unlike what happened in this case.

This incident effectively turns that recommendation into a hard line. LayerZero said it will no longer support applications running 1-of-1 configurations, which will force projects toward redundancy.

All things considered, this exploit exposed a survivability threshold in DeFi design. Protocols with single points of failure are now easy targets, especially for state-level actors like Lazarus, linked to multiple large-scale exploits this month. In short, DeFi just got a stress test, and not every protocol passed.