LayerZero blames KelpDAO’s single DVN setup for $290M exploit, highlighting risks of weak configurations and RPC infrastructure attacks.
Author: Akshat Thakur
20th April 2026 – LayerZero_Core published an article on X on April 20. The thread attributed the $290 million drain of KelpDAO’s rsETH to the project’s single-DVN setup. According to the team, a suspected state actor carried out the attack.
High Signal Summary For A Quick Glance
𝕋𝕖𝕞𝕞𝕪🦇🔊
@Only1temmy
@LayerZero_Core trying to shift the blame. best of luck
https://t.co/3vIHs3Xgs4
05:08 AM·Apr 20, 2026
High attention and emotional sentiment detected.
The exploit hit on April 18. According to LayerZero, the attacker poisoned RPC endpoints feeding the LayerZero Labs DVN. Because KelpDAO relied on a 1-of-1 DVN setup, that single compromised verifier approved the fraudulent message. As a result, $290 million drained from the rsETH deployment.
The attack affected no other applications on LayerZero. In fact, the protocol continued processing cross-chain traffic without interruption throughout the incident.
LayerZero’s thread detailed the attack step by step. First, the adversary obtained the internal list of RPC endpoints the DVN used for verification. RPC nodes act as the data pipeline between blockchains and verifiers.
Next, the attacker compromised two independent op-geth nodes on separate clusters. They swapped the legitimate binaries for malicious versions. These forged a cross-chain message that appeared valid to the DVN.
Then, the attacker launched DDoS attacks against the remaining healthy RPCs. This forced the DVN to fall back on the compromised nodes. Meanwhile, external monitoring services still received accurate data. As a result, the manipulation went undetected until the DVN signed the forged message.
That single fraudulent approval triggered the $290 million drain from KelpDAO’s rsETH. The technique is notable because it bypasses smart-contract audits entirely.
DVNs, or Decentralized Verifier Networks, are independent entities that verify cross-chain messages on LayerZero. They confirm that a transaction on one blockchain is legitimate before it executes on another.
LayerZero’s architecture lets each application choose its own security model. Specifically, applications select which DVNs to trust and how many must agree. LayerZero Labs operates one of the largest DVNs, but dozens of others exist across the ecosystem.
This modular approach has supported more than $50 billion in cumulative cross-chain volume. At the same time, it has drawn criticism for allowing weak configurations that create single points of failure.
KelpDAO configured rsETH with a strict 1-of-1 DVN setup. Only the LayerZero Labs DVN verified its messages. In contrast, a multi-DVN configuration requires consensus across independent verifiers. That setup makes one compromised DVN insufficient on its own.
The KelpDAO $290M exploit proved the risk of minimal configurations. A two-DVN or three-DVN setup would have blocked the forged message. The attacker compromised one verifier, but additional verifiers would have rejected it.
LayerZero said it had previously warned KelpDAO about this risk. The team referenced public commentary in Aave governance discussions months earlier. Still, KelpDAO proceeded with the 1/1 configuration.
The thread emphasized that no protocol-level vulnerability existed. LayerZero quoted its own post: “the LayerZero protocol itself functioned exactly as intended.”
The team also stressed the isolation principle. Each application controls its own security. Therefore, the compromise of one DVN for one application did not spread to others on the network.
LayerZero called this “the single defining feature” of its modular architecture. Zero contagion spread across the system, even though a single integration failed.
Key milestones in LayerZero and the KelpDAO $290M Exploit
LayerZero introduces DVN-based interoperability, enabling apps to define custom security models and redundancy thresholds for cross-chain messaging.
KelpDAO deploys rsETH on LayerZero using a 1-of-1 DVN setup, relying solely on the LayerZero Labs verifier despite prior recommendations for diversification.
Attacker compromises RPC infrastructure feeding the DVN, forges a message, and drains $290M from rsETH, with the breach contained to the single-verifier setup.
LayerZero confirms no protocol flaw, isolates compromised nodes, restores operations, and pushes migration to multi-DVN configurations for improved security.
LayerZero attributed the KelpDAO $290M exploit to a sophisticated state actor. The team identified North Korea’s Lazarus Group, operating as TraderTraitor, as the most likely perpetrator.
The Lazarus Group has a long track record in crypto theft. It carried out the $625 million Ronin Bridge hack in 2022. It also executed the $100 million Harmony Horizon bridge hack the same year. Most recently, the group pulled off the $1.5 billion Bybit breach in early 2025.
RPC poisoning represents a new vector in the cross-chain threat model. Unlike key theft or smart contract bugs, it targets the off-chain infrastructure verifiers depend on. Every bridge, oracle, and cross-chain service relies on similar infrastructure.
Consequently, the technique bypasses smart-contract audits and key management entirely. It exploits how verifiers source their data. That layer has received far less scrutiny than contract code up to this point.
LayerZero Labs has already deprecated all compromised RPC nodes. The team replaced them with fresh infrastructure, and the DVN is back online.
In addition, the team is actively contacting every application still running a 1/1 DVN configuration. Going forward, LayerZero Labs will refuse to attest messages from any application that stays in that state.
Law enforcement agencies in multiple jurisdictions are now investigating. LayerZero is cooperating with authorities and assisting on-chain tracking through partners including Seal911.
For rsETH holders and KelpDAO participants, attention now turns to compensation or recovery. KelpDAO has not yet detailed its response plan.
Across the broader ecosystem, protocols relying on single verifiers face renewed pressure to harden their off-chain dependencies. LayerZero Labs has committed to helping all remaining 1/1 integrators migrate to multi-DVN setups.
Expect updated integration checklists and new contract-level tooling to enforce minimum DVN thresholds. The RPC poisoning playbook now sits in the public threat model. Every cross-chain service will need to reassess its infrastructure assumptions as a result of this incident.
Our Crypto Talk is committed to unbiased, transparent, and true reporting to the best of our knowledge. This news article aims to provide accurate information in a timely manner. However, we advise the readers to verify facts independently and consult a professional before making any decisions based on the content since our sources could be wrong too. Check our Terms and conditions for more info.
LayerZero
