LayerZero links Kelp DAO exploit to Lazarus as DeFi losses deepen

LayerZero said North Korea’s Lazarus Group is the likely actor behind the Kelp DAO exploit that drained 116,500 rsETH worth about $292 million. 

The company said early indicators point to a “highly-sophisticated state actor” and named “DPRK’s Lazarus Group, more specifically TraderTraitor” in its latest statement.

The attack took place on April 18 and quickly became the largest DeFi exploit reported this year. LayerZero said the attacker targeted the system used to verify cross-chain messages, which allowed a false message to pass through and unlock tokens on the bridge.

LayerZero said the attacker got access to the list of RPC nodes used by LayerZero Labs’ decentralized verified network, or DVN. According to the company, the attacker then poisoned two of those nodes so they delivered a fake cross-chain message to the verifier network.

At the same time, the attacker launched a DDoS attack against clean nodes, which pushed the DVN to rely on the poisoned nodes. LayerZero said this combination allowed the forged message to move through the system and trigger the token unlock that led to the loss.

In addition, LayerZero said the damage became possible because Kelp DAO used a single 1-of-1 DVN setup with no backup verifier. The company said this created a single point of failure, leaving no independent check to reject the fake message before the bridge released funds.

In its statement, LayerZero said “operating a single-point-of-failure configuration meant there was no independent verifier to catch and reject a forged message.” It also said “LayerZero and other external parties previously communicated best practices around DVN diversification to KelpDAO.” The company added that it will no longer sign messages for applications that use a 1/1 DVN setup.

Aave outflows and DeFi pressure follow exploit

The exploit spread stress across DeFi after the attacker moved stolen rsETH to Aave V3 and used it as collateral to borrow large amounts of WETH. This raised concern over possible bad debt on Aave and led the protocol to freeze rsETH markets on both V3 and V4.

Aave founder Stani Kulechov said “RsETH has been frozen on Aave V3 and V4” and added that the asset no longer has borrowing power because of the Kelp DAO bridge exploit. Historical data from Aavescan showed more than $10 billion left Aave after the attack, with total supplied funds falling to $35.7 billion from $45.8 billion.

The fallout extended beyond Aave. Several DeFi protocols, including Ethena, ether.fi, Tron DAO, and Curve Finance, paused LayerZero OFT bridges as a precaution. 

DefiLlama data showed DeFi total value locked dropped 7% in 24 hours to about $86.3 billion, down from $99.5 billion on April 18. LayerZero said there is “zero contagion” for other assets or applications using multi-DVN setups, while law enforcement efforts to trace the funds continue.