KelpDAO’s $290 million rsETH exploit has moved into a new phase, with LayerZero and Aave now publicly describing how the incident unfolded, why the damage appears contained, and what it could mean for crypto cross-chain security standards in the future.
LayerZero’s central claim is that the exploit was not a flaw in the protocol itself, but rather the result of KelpDAO’s decision to run rsETH with a single DVN configuration. This is important because the latest statements shift the market narrative away from widespread contagion risk among LayerZero’s built-in assets and toward a narrower question: how much risk was concentrated in an application’s security design.
LayerZero Links KelpDAO Crypto Exploit to RPC Attack
in an incident statement On April 20, LayerZero said the April 18 attack targeted KelpDAO’s rsETH configuration and was “completely isolated to KelpDAO’s rsETH configuration as a direct consequence of its single DVN configuration.” The company added that it had conducted “a thorough review of active integrations” and could confirm “with confidence that there is no contagion to any other assets or applications.”
LayerZero framed the episode as a state-linked attack on crypto infrastructure rather than a protocol exploit. According to the statement, “preliminary indicators suggest attribution to a very sophisticated state actor, likely the DPRK’s Lazarus Group, more specifically TraderTraitor.”
It said the attack did not directly compromise the protocol, key management or DVN instances. Instead, the attacker allegedly poisoned the downstream RPC infrastructure used by LayerZero Labs DVN, swapped binaries on compromised op-geth nodes, and then used DDoS pressure on uncompromised RPCs to force failover to the poisoned infrastructure.
That sequence is central to LayerZero’s argument. “Due to our least privilege principles, they were unable to compromise actual DVN instances,” the company wrote. “However, they used this pivot point to execute an RPC spoofing attack.
Their malicious node used a custom payload explicitly designed to spoof a message to the DVN with minimal warnings.” LayerZero said the manipulated node presented false data only to the DVN while returning truthful responses to other IPs, including its own monitoring infrastructure, in what it described as a deliberately stealthy effort to avoid detection.
Still, LayerZero argues that the exploit should have stopped at the application layer if rsETH had not relied on a 1-of-1 verifier configuration. “The affected application was rsETH, issued by KelpDAO,” the statement said. “Their OApp configuration at the time of this incident was based on a 1-of-1 DVN configuration, with LayerZero Labs as the sole verifier, a configuration that directly contradicts the multi-DVN redundancy model that LayerZero has consistently recommended to all integration partners.”
He added that “a properly hardened configuration would have required consensus between multiple independent DVNs, making this attack ineffective even in the event that a single DVN was compromised.”
The company said its DVN is up again, the affected RPC nodes have been deprecated and replaced, and it will no longer sign or certify messages for applications using a 1/1 configuration. It also said it is working with authorities and industry partners, including Seal911, to trace the funds.
Aave said in a recent WETH reserves also remain frozen in the affected markets on Ethereum, Arbitrum, Base, Mantle and Linea as the team continues to validate information and evaluate possible solutions.
At the time of this publication, the total crypto market capitalization amounted to $2.5 trillion.
Featured image created with DALL.E, chart from TradingView.com
Editorial process for bitcoinist focuses on providing thoroughly researched, accurate and unbiased content. We maintain strict sourcing standards and every page undergoes diligent review by our team of technology experts and experienced editors. This process ensures the integrity, relevance and value of our content to our readers.
