LayerZero Responds to KelpDAO's $290 Million Vulnerability Incident, Blames Single DVN Configuration

BroadChain has learned that at 20:00 on April 20, according to Bitcoinist, the $290 million vulnerability incident involving rsETH under KelpDAO has entered a new phase. LayerZero and Aave have publicly detailed the incident's progression, the reasons why the damage was controllable, and its impact on future cross-chain security standards. LayerZero's core argument is that this incident was not a failure of its protocol itself, but rather the result of KelpDAO's decision to run rsETH with a single DVN (Decentralized Verifier Network) configuration. This statement shifts the market narrative from the broad contagion risk of assets integrated with LayerZero to a more specific issue: the concentration of risk in the security design of a single application. In a statement on April 20, LayerZero stated that the attack on April 18 targeted KelpDAO's rsETH setup and was "entirely confined to KelpDAO's rsETH configuration, a direct consequence of its single DVN setup." The company added that it has conducted a comprehensive review of active integrations and is "confident in confirming there is no contagion risk to any other assets or applications." LayerZero characterized this incident as a state-related attack on crypto infrastructure, not a protocol vulnerability, with initial indications pointing to a highly sophisticated state actor, likely North Korea's Lazarus Group (specifically TraderTraitor). The attack did not directly compromise the protocol, key management, or DVN instances. Instead, the attacker polluted the downstream RPC infrastructure used by LayerZero Labs' DVN, replaced binaries on the compromised op-geth nodes, and then applied DDoS pressure on unaffected RPCs, forcing a failover to the polluted infrastructure. LayerZero emphasized that due to its principle of least privilege, the attacker could not compromise the actual DVN instances but exploited this entry point to execute an RPC spoofing attack. Its malicious nodes used specially crafted custom payloads to forge messages to the DVN while returning genuine responses to other IPs, including its own monitoring infrastructure, to evade detection. LayerZero noted that if rsETH had not relied on a 1-of-1 validator setup, the attack should have been blocked at the application layer. KelpDAO's OApp configuration at the time relied on a single DVN setup, with LayerZero Labs as the sole verifier, which directly contradicts the multi-DVN redundancy model that LayerZero consistently recommends to all integration partners. The company stated that its DVN is back online, the affected RPC nodes have been deprecated and replaced, and it will no longer sign or attest messages for applications using a 1/1 configuration. It is also collaborating with law enforcement and industry partners (including Seal911) to trace the funds. In an update on the X platform, Aave stated that its analysis shows "rsETH on the Ethereum mainnet is fully backed," but out of caution, rsETH remains frozen on Aave V3 and V4, and exposure to the incident has been capped. WETH reserves in affected markets on Ethereum, Arbitrum, Base, Mantle, and Linea also remain frozen, with the team continuing to verify information and evaluate possible solutions. As of press time, the total cryptocurrency market capitalization is approximately $2.5 trillion.