•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
LayerZero said it placed responsibility for the $290 million Kelp DAO exploit on Kelp’s own security configuration, arguing that the liquid restaking protocol used a single-verifier setup that LayerZero had previously warned against. LayerZero also described the attack as targeting infrastructure rather than any flaw in its protocol code.
LayerZero said the attackers compromised two remote procedure call (RPC) nodes that LayerZero’s verifier relied on to confirm cross-chain transactions. RPC nodes are servers that allow software to read and write data on a blockchain.
LayerZero said the verifier used a mix of internal and external RPC nodes for redundancy. According to LayerZero, the attackers swapped the binary software running on two of the nodes with malicious versions. These versions were designed to report to LayerZero’s verifier that a fraudulent transaction had occurred, while continuing to provide accurate data to other systems querying the same nodes.
LayerZero said the attackers engineered the deception to remain invisible to its monitoring, which queries the same RPCs from different IP addresses. LayerZero added that compromising only two nodes was not sufficient: the verifier also queried uncompromised external RPC nodes, so the attackers launched a distributed denial-of-service (DDoS) attack to force failover to the poisoned nodes.
LayerZero shared logs showing the DDoS activity occurred between 10:20 a.m. and 11:40 a.m. Pacific Time on Saturday. After failover was triggered, LayerZero said the compromised nodes told the verifier that a valid cross-chain message had arrived, leading Kelp’s bridge to release 116,500 rsETH to the attackers.
LayerZero also said the malicious node software self-destructed, wiping binaries and local logs.
LayerZero said the attack worked because Kelp ran a 1-of-1 verifier configuration, meaning LayerZero Labs was the sole entity verifying messages to and from the rsETH bridge.
LayerZero said its public integration checklist and direct communications to Kelp recommended a multi-verifier setup with redundancy, where consensus across several independent verifiers would be required to confirm a message. Under that approach, LayerZero said poisoning a single verifier’s data feed would not be enough to forge a valid message.
“KelpDAO chose to utilize a 1/1 DVN configuration,” LayerZero wrote, using the protocol’s term for decentralized verifier networks. “A properly hardened configuration would have required consensus across multiple independent DVNs, rendering this attack ineffective even in the event of any single DVN being compromised.”
LayerZero said it has confirmed zero contagion to other applications on the protocol. It said every OFT-standard token and application running multi-verifier setups was unaffected.
LayerZero said its own verifier is back online and that it will no longer sign messages for any application running a 1-of-1 configuration, requiring a protocol-wide migration away from single-verifier setups.
LayerZero’s preliminary linkage of the attackers to North Korea’s Lazarus Group—specifically its TraderTraitor subunit—comes as Lazarus has been linked to the Drift Protocol exploit on April 1 and to Kelp on April 18.
LayerZero said the same North Korean unit has drained more than $575 million from DeFi in 18 days through two structurally different attack vectors: social engineering governance signers at Drift and poisoning infrastructure RPCs at Kelp.
LayerZero said the distinction between a protocol-level bug and an integrator configuration failure matters. It argued that a protocol-level flaw would have implied every OFT token on every chain was potentially at risk. Instead, LayerZero said the incident reflects a configuration choice by a single integrator combined with a targeted infrastructure attack, meaning the protocol “worked as designed” and the opening came from Kelp’s security decisions.
Kelp has not yet publicly responded to LayerZero’s framing or addressed why it operated a 1-of-1 verifier setup despite recommendations against it.
Premium gym chains are entering a “golden era” that is ending or already in decline, as rising operating costs collide with shifting consumer preferences toward more flexible, community-based ways to exercise. Long-term memberships are shrinking, margins are pressured by higher rents and facility expenses, and competition from smaller, more personalized…
