LayerZero: KelpDAO $290M rsETH exploit isolated via single-DVN

LayerZero said the KelpDAO $290 million rsETH exploit on April 20 was not a LayerZero protocol failure, but an application-layer issue tied to KelpDAO’s “single-DVN” setup. In LayerZero’s update, the breach was described as isolated to KelpDAO’s rsETH flow, with “zero contagion” to other LayerZero-integrated assets. The company also provided new operational details and attribution clues. Preliminary indicators point to DPRK’s Lazarus Group, specifically the “TraderTraitor” subgroup. LayerZero claims the attacker pivoted through LayerZero Labs’ DVN-dependent RPC infrastructure: it allegedly poisoned downstream RPCs, swapped binaries on compromised op-geth nodes, then used DDoS pressure to steer verification toward the tainted nodes while relying on RPC spoofing to reduce detection. LayerZero said its DVN instances were not directly compromised due to least-privilege controls. On mitigations, LayerZero reported it deprecated affected RPC nodes and stopped signing/attesting for 1/1 (single-DVN) configurations. It is coordinating with partners and law enforcement (including Seal911) to track funds. Aave responded that rsETH on Ethereum mainnet remains fully backed, but rsETH is still frozen on Aave V3 and V4, with exposure capped. WETH reserves also remain frozen across affected markets (Ethereum, Arbitrum, Base, Mantle, Linea) while data validation continues. For traders, the rsETH exploit narrative shifts risk from broad cross-chain contagion toward configuration hardening and verifier redundancy. However, Aave freezes can keep rsETH liquidity constrained in the short term, which may amplify volatility even if “zero contagion” limits systemic bridge fears.