How Kelp's Security Setup Led to $290M Exploit

LayerZero Labs pointed to Kelp DAO's choice to use a single security verifier as the cause of the $290 million exploit, a setup LayerZero had previously warned against. The attack didn't target the protocol's core code but its infrastructure. LayerZero identified North Korea's Lazarus Group and its TraderTraitor subunit as the likely attackers. They compromised two remote procedure call (RPC) nodes, which are vital for LayerZero's verifier. These nodes were used to confirm fake cross-chain transactions, while a distributed denial-of-service (DDoS) attack on other nodes helped push through the fraudulent data. This allowed Kelp's bridge to release 116,500 rsETH to the attackers. The exploit worked because Kelp relied on a single validator, Layer Zero Labs, for its rsETH bridge. In response, LayerZero will stop signing messages for applications using single-verifier setups. This forces a shift across the protocol to multi-verifier systems, which require agreement from several independent verifiers. The goal is to prevent future exploits caused by single points of failure in how applications are configured. LayerZero confirmed that no other applications using multi-verifier systems were affected.

Escalating Threats: Lazarus Group and Infrastructure Risks

This attack's advanced nature, along with other recent exploits, signals a worsening threat landscape. The Lazarus Group, previously linked to the $280 million Drift Protocol exploit, shows an ability to change attack methods. They moved from targeting governance signers at Drift to exploiting infrastructure RPCs at Kelp. This flexibility is outpacing how quickly many DeFi protocols are improving their defenses. The incident also highlights the risks of RPC nodes, which act as the entry point for blockchain data. Compromised RPC nodes can be used to fake transaction confirmations, as happened here. Keeping RPC nodes available is essential for blockchain networks to function. Bridge hacks alone have caused about 70% of the value lost in DeFi over the last two years. LayerZero, a major player in blockchain infrastructure that has raised over $318 million and reached a $3 billion valuation, is now facing closer examination of its network's security and how its integrations are configured. The U.S. National Cybersecurity Strategy for 2026 specifically prioritizes protecting blockchain and crypto assets, recognizing these technologies as critical infrastructure.

Configuration Errors Cause Major Losses, Not Just Protocol Flaws

The Kelp DAO exploit is a strong reminder that even strong core protocols can be at risk if integrated with insecure setups. Kelp's decision not to use LayerZero's recommended multi-verifier system created a major vulnerability through integrator choices, not protocol flaws. While a bug in the core protocol might affect all related tokens, this was a failure in a specific application's architecture, yet the financial loss was just as severe. The Lazarus Group has been highly successful, draining over $575 million from DeFi in the 18 days before this exploit. This shows their playbook is evolving and that DeFi protocols face growing pressure to secure not only their smart contracts but also the external infrastructure and configurations they depend on. DeFi's interconnected nature means a single weak point, especially in bridge contracts or RPC nodes, can cause widespread contagion. This was seen with impacts on Aave, Compound, and Euler after the Kelp incident. A key challenge remains: making sure the security of individual DeFi apps strengthens, rather than weakens, the security of the infrastructure they use.

LayerZero's Mandate Pushes Industry Towards Stronger Security

LayerZero's firm decision to mandate multi-verifier configurations is a major step, guiding the industry toward more consistent and resilient security for cross-chain communication. This policy change mirrors a wider trend in the blockchain sector, where engineering maturity and strong infrastructure are increasingly vital as adoption rises. As DeFi moves toward greater institutional involvement and higher asset values, the demand for provenly secure and dependable infrastructure will grow. This incident highlights the essential need for careful attention not only to code checks but also to thoroughly evaluating and following recommended security setups for all linked components. The growing attention on cybersecurity in national strategies also suggests that future regulations will likely require higher standards for blockchain infrastructure, promoting a more forward-thinking approach to security.