the coinformer
Contact About
Live 5m

LayerZero drops 1-of-1 verifier setup after KelpDAO hack

The company now says its own verifier will no longer sign as the sole required attestor.

Egor Komarov/Unsplash/Glitch

LayerZero, the cross-chain messaging protocol, said the $292 million KelpDAO bridge exploit began with a North Korea-linked attacker socially engineering one of its developers and poisoning internal RPC nodes.

LayerZero Labs published the incident report on May 18, about a month after attackers stole 116,500 rsETH from KelpDAO, the liquid restaking protocol behind the rsETH token. The report said Mandiant, CrowdStrike and independent researchers attributed the attack to DPRK threat actor TraderTraitor, also known as UNC4899.

According to the report, the attackers compromised LayerZero's off-chain RPC infrastructure, while KelpDAO's bridge used a single LayerZero Labs DVN, meaning one valid attestation was enough to unlock the funds.

LayerZero said the attacker first compromised a developer on March 6 through a malicious GitHub repo. The malware gave remote access and let the attackers harvest session keys used to reach LayerZero's RPC infrastructure.

By April 18, the attacker had poisoned two internal RPC nodes and launched a denial-of-service attack (also known just as DoS) against an external RPC provider, forcing the LayerZero Labs signing service to rely only on the compromised internal nodes.

LayerZero said its signer keys weren't stolen and its on-chain contracts worked as configured.

LayerZero changes stance after exits

The most important product change is that LayerZero Labs is no longer willing to be neutral about every security setup.

The report says LayerZero Labs had historically been "un-opinionated" toward app builders. Whatever configuration an app chose, the LayerZero Labs DVN would sign for it.

Now, the LayerZero Labs DVN will refuse to sign if it is the only required verifier on a channel.

LayerZero also said it rebuilt the affected cloud environment instead of just patching it, added stricter controls and now requires multiple independent RPC sources when reading security-related blockchain data. It also plans to change protocol defaults so all channels use at least a 3-of-3 DVN setup.

  • LayerZero also said in a separate X post that more than $12 billion had moved across the network in the previous four weeks and that "the world's most valuable asset issuers" had stood by it, without naming them.
  • KelpDAO said it would move rsETH to Chainlink CCIP after the exploit. Solv Protocol, a Bitcoin staking and tokenized BTC platform, said it would also migrate more than $700 million in SolvBTC and xSolvBTC from LayerZero to Chainlink after a security review.
  • Re, an on-chain reinsurance protocol, also picked Chainlink CCIP as the exclusive bridge for reUSD, while Kraken also migrated its kBTC and future wrapped assets from LayerZero to Chainlink.
👀 3