KelpDAO operated with a single transaction verifier, a configuration that LayerZero advises against.
The attack suffered by KelpDAO is the largest in amount stolen in 2026.
The team behind LayerZero Labs published a white paper on April 20 about the hack that drained $292 million in KelpDAO’s rsETH token. According to the document, the direct cause was a KelpDAO configuration decision that contradicted the express recommendations of the protocol and also pointed to the North Korean hacker group Lazarus as responsible.
According to the report, KelpDAO operated with a 1-of-1 DVN configurationwhich means relying on a single cross-chain transaction verifier which was LayerZero Labs’ own DVN, without any additional independent verifier.
A DVN (Decentralized Verifier Network) is the component that confirms that a message sent between two networks is legitimate before executing it. LayerZero maintains that it recommended KelpDAO and all its integrators adopt configurations with multiple DVNso that no verifier represents a single point of failure.
How did the attack operate?
According to the investigation of LayerZero, the attacker did not exploit LayerZero or KelpDAO code. Instead, it targeted the servers that LayerZero Labs’ DVN used to query the state of the Ethereum network and verify that transactions were legitimate. These servers are called nodes. RPC.
The attacker identified which ones the DVN used, compromised two of them (hosted in independent infrastructures) and replaced their software with manipulated versions, capable of sending false information to the DVN about transactions that never occurred.
According to the same report, the adulterated nodes responded with false data only when LayerZero’s DVN queried them, but they responded normally to any other system, including LayerZero’s internal monitoring systems. That prevented the alerts from detecting anomalies.
To complete the attack, the perpetrator executed a DDoS (denial of service attack, which consists of flooding a system with requests until it becomes inoperative) on the uncommitted RPC nodes, forcing the DVN to depend only on the poisoned nodes. The result was that the DVN validated KelpDAO rsETH transfers that never occurred, releasing the funds.
With a multi-DVN setup, LayerZero notes, a second independent verifier would have rejected the fake message and the attack would have failed. It was KelpDAO’s 1-of-1 setup that made it possible for the compromise of a single DVN to be enough to complete the theft.
Additionally, based on the indicators collected during the investigation, LayerZero attributes the attack to the North Korean Lazarus Group (specifically the unit known as TraderTraitor), calling it a “highly sophisticated” state actor. That attribution has no independent external corroboration so far.
April records the most and largest hacks of the year
The KelpDAO hack is not an isolated event, since, as reported by CriptoNoticias, the cryptocurrency ecosystem recorded at least 13 security incidents in the first two weeks of April, with accumulated losses in 2026 exceeding USD 450 million additional to the KelpDAO hack. April concentrates a large part of that total.
In this framework, attack vectors range from poorly audited smart contracts, manipulation of node infrastructure, social engineering and even insider threats. The KelpDAO case now adds RPC infrastructure poisoning as a documented form of attack on cross-chain bridges.
As an immediate measure, LayerZero announced that its DVN will stop signing messages from applications with 1-of-1 configuration and will contact all integrators in that situation to migrate them to schemes with redundancy. The attribution of the attack to North Korea’s Lazarus Group, supported by LayerZero, remains without independent external confirmation.