LayerZero says the recent Kelp DAO exploit likely traces back to Lazarus Group — though it stops short of calling it a confirmed attribution. According to the team’s investigation, the real issue wasn’t a bug in the code, but a structural weakness: a single point of failure in how the protocol verified cross-chain transactions.
The attack, which took place on April 18, drained roughly $292 million from Kelp DAO’s rsETH pool. That makes it the biggest DeFi hack so far this year. The fallout was immediate — total value locked across the sector dropped about 7% in just a day, landing near $85 billion, based on data from DefiLlama.
It’s worth noting that LayerZero isn’t presenting this as a definitive conclusion. Instead, it describes Lazarus as the most likely culprit based on available evidence. That nuance matters, especially when you’re dealing with state-linked actors and incidents of this scale.
What actually went wrong?
At a technical level, this wasn’t a simple exploit. The attackers first compromised the RPC infrastructure feeding LayerZero’s verifier network. Then they used a DDoS attack to push the system into switching over to backup nodes — which had already been tampered with.
Once that happened, the protocol essentially started approving fake cross-chain transactions as legitimate. By the time anyone noticed, hundreds of millions in funds had already been drained.
The key vulnerability? Kelp DAO was running what’s known as a 1-of-1 DVN setup — meaning a single verifier node was responsible for validating transactions. That’s a risky design, and LayerZero says it had flagged this multiple times, recommending a multi-verifier system instead. Those warnings weren’t acted on.
With a more robust setup, attackers would have needed to compromise several independent nodes at once — a much tougher task. Instead, the single-node design made the whole system far easier to break.
How LayerZero responded
After the breach, LayerZero moved quickly to isolate the problem. It shut down the affected RPC nodes and restored normal verifier operations without the issue spreading to other protocols.
Importantly, there’s no indication that LayerZero’s core codebase or private keys were compromised. The failure was more about how the system was configured than any fundamental flaw in the protocol itself. That distinction helps protect LayerZero’s reputation — but it doesn’t undo the $292 million loss.
Why the Lazarus angle matters
Even though the attribution isn’t confirmed, pointing to the Lazarus Group changes how this incident is viewed. The group has been linked to some of the biggest crypto thefts in history, including the Ronin Network hack, and is widely believed to funnel stolen funds into North Korea’s state programs.
LayerZero’s analysis also mentions the TraderTraitor subgroup, which has been tied to previous operations. The company is now working with international authorities to track the stolen funds — a step usually taken only when there’s strong evidence behind the scenes.
What’s more concerning is that these attacks are evolving. Beyond direct exploits, North Korean operatives have reportedly infiltrated crypto companies using fake identities, expanding the threat beyond just technical vulnerabilities.
Bigger picture for DeFi
Cross-chain protocols like LayerZero sit in a particularly sensitive position. They connect multiple blockchains and often hold large pools of liquidity, making them attractive targets. Their security depends heavily on verifier networks — and if those are misconfigured, they can become weak points.
This attack highlights a new tactic as well: targeting the infrastructure around verification systems, like RPC nodes, rather than just the smart contracts themselves. It’s a reminder that in DeFi, security isn’t just about code — it’s about architecture.
And in this case, that architectural shortcut turned out to be very expensive.
