Lazarus Group poisoned RPCs, enabling $292M KelpDAO hack

Layerzero Labs disclosed Friday that attackers linked to the Lazarus Group poisoned internal Remote Procedure Call (RPC) data and launched a simultaneous distributed denial-of-service attack on an external RPC provider. Those actions allowed manipulation of cross-chain message validation and led to a $292 million exploit of the KelpDAO application.

The company apologized for three weeks of silence while it investigated and worked with external security partners. Layerzero reported the breach affected a single application, representing about 0.14% of connected applications and roughly 0.36% of the protocol’s value.

Layerzero reported the core protocol remained intact. Since April 19, more than $9 billion of traffic has moved across the network without compromise, and total transfers across the protocol since launch exceed $260 billion.

The firm acknowledged an oversight in allowing a Decentralized Verifier Network configuration to act as a solo verifier for high-value transactions, creating a single point of failure. Layerzero will stop supporting 1/1 DVN setups and is changing default settings to a 5/5 DVN to increase verifier redundancy.

Layerzero described a multisig lapse from three and a half years ago when a signer used a multisig hardware wallet for a personal trade; that signer has been removed. The company deployed a multisig tool called Onesig, which hashes and merklizes transactions on the user’s device to block unauthorized backend transactions. Where Onesig is available, multisig thresholds will rise from 3/5 to 7/10.

Other technical and operational changes include advising developers to pin configurations rather than rely on defaults and recommending higher block confirmation counts to reduce the chance of chain reorganizations. Layerzero is building a second DVN client in Rust to encourage client diversity and is designing a more granular RPC quorum configuration to let DVNs combine internal and external providers for message validation. The company is also developing a Console platform for asset issuers to manage security settings and monitor for anomalies.

Layerzero reported it has coordinated with external security firms since April 19 and is finalizing a post-mortem. The company said the protocol’s modular design helped limit the incident to a small portion of the ecosystem.

North Korea’s Foreign Ministry rejected international accusations linking the country to cryptocurrency thefts and cyberattacks, calling the claims absurd slander and politically motivated via state media.