LayerZero KelpDAO exploit: $292M rsETH stolen; DVN single point fixed

LayerZero published its incident report on the KelpDAO rsETH bridge attack, confirming the LayerZero KelpDAO exploit led to about 116,500 rsETH stolen (≈$292M). LayerZero says the issue was confined to KelpDAO’s rsETH deployment, caused by a risky single DVN (1/1) setup where LayerZero Labs acted as the only verifier. LayerZero attributes the breach to compromised off-chain verification infrastructure, not a core LayerZero protocol flaw. Attackers allegedly “poisoned” DVN RPC nodes by accessing the RPC list, compromising two nodes in separate clusters, replacing op-geth binaries, and feeding forged transaction data only to the DVN while returning accurate data elsewhere. A DDoS forced failover onto the poisoned nodes, enabling the DVN to approve messages that never occurred on-chain. Attribution has been tightened: Chainalysis links the activity to North Korea’s Lazarus Group (TraderTraitor). Nexus Mutual estimated the $292M drain occurred in under 46 minutes. LayerZero responded by replacing affected RPC nodes, restoring DVN operations, involving law enforcement/partners (including Seal911), and—most importantly—stopping signing/attesting for any applications using 1/1 DVN configurations while pushing multi-DVN redundancy and independent verifier consensus.