Disclaimer: Information found on CryptoreNews is those of writers quoted. It does not represent the opinions of CryptoreNews on whether to sell, buy or hold any investments. You are advised to conduct your own research before making any investment decisions. Use provided information at your own risk.
CryptoreNews covers fintech, blockchain and Bitcoin bringing you the latest crypto news and analyses on the future of money.
LayerZero’s compromised protocol reveals details of the attack on KelpDAO., 2026/04/20 12:03:36
The LayerZero protocol, which suffered a breach resulting in a loss of $293 million from the KelpDAO bridge, has disclosed details of the cyberattack and linked it to the North Korean group Lazarus, specifically its subdivision TraderTraitor. However, analysts did not provide evidence that the breach was orchestrated by perpetrators from North Korea.
The company reported that the attackers compromised a segment of LayerZero’s technical infrastructure, which facilitates data exchange between various blockchains. Other bridge protocols remained unaffected. The attack was made possible due to KelpDAO’s insufficient security configuration, according to the developers. Typically, such systems are protected by multiple independent “verifying” nodes: if one fails or is compromised, the others continue to function and thwart the attack. KelpDAO, however, utilized only a single “verifying” node from LayerZero.
Related Posts
Preliminary investigations revealed that the hackers operated in stages. Initially, the unknown individuals gained access to a list of technical servers (RPC nodes) utilized by the LayerZero system. They then compromised two independent servers operating on different platforms and replaced their software with malicious code.
Using these servers, the attackers sent a fraudulent message to the system, indicating that a cryptocurrency transfer had occurred, even though no transaction took place. For all other requests, these servers responded accurately to avoid raising suspicion. To ensure the system relied on the compromised servers, the hackers initiated a DDoS attack, inundating the others with a barrage of false requests. Due to the overload, the system switched to the hacked nodes.
After the attack concluded, the hackers erased all traces: they deleted the malicious software, logs, and configurations. Currently, the LayerZero system has been fully restored and is operating normally, according to the developers. They assert that there were no vulnerabilities in the protocol.
The attack on Kelp occurred on Saturday, April 18. The hackers stole 116,500 tokens of Kelp DAO Restaked ETH (rsETH) from the LayerZero bridge used by Kelp DAO. Subsequently, the attackers posted rights to these tokens as collateral in Aave V3 and took out loans in wETH. The platform treated the collateral as legitimate tokens from Kelp DAO, but in reality, the coins were already in the hackers’ wallets. This resulted in an unsecured debt for the platform, prompting investors to withdraw their funds en masse.
