<\/p>\n
LayerZero said North Korea\u2019s Lazarus Group is the likely actor behind the Kelp DAO exploit that drained 116,500 rsETH worth about $292 million.\u00a0<\/strong><\/p>\n <\/p>\n The company said early indicators point to a \u201chighly-sophisticated state actor\u201d and named \u201cDPRK\u2019s Lazarus Group, more specifically TraderTraitor\u201d in its latest statement.<\/p>\n The attack took place on April 18 and quickly became the largest DeFi exploit reported this year. LayerZero said the attacker targeted the system used to verify cross-chain messages, which allowed a false message to pass through and unlock tokens on the bridge.<\/p>\n <\/p>\n LayerZero said<\/a> the attacker got access to the list of RPC nodes used by LayerZero Labs\u2019 decentralized verified network, or DVN. According to the company, the attacker then poisoned two of those nodes so they delivered a fake cross-chain message to the verifier network.<\/p>\n At the same time, the attacker launched a DDoS attack against clean nodes, which pushed the DVN to rely on the poisoned nodes. LayerZero said this combination allowed the forged message to move through the system and trigger the token unlock that led to the loss.<\/p>\n In addition, LayerZero said the damage became possible because Kelp DAO used a single 1-of-1 DVN setup with no backup verifier. The company said this created a single point of failure, leaving no independent check to reject the fake message before the bridge released funds.<\/p>\n In its statement, LayerZero said \u201coperating a single-point-of-failure configuration meant there was no independent verifier to catch and reject a forged message.\u201d It also said \u201cLayerZero and other external parties previously communicated best practices around DVN diversification to KelpDAO.\u201d The company added that it will no longer sign messages for applications that use a 1\/1 DVN setup.<\/p>\n The exploit spread stress across DeFi after the attacker moved stolen rsETH to Aave V3 and used it as collateral to borrow large amounts of WETH. This raised concern over possible bad debt on Aave and led the protocol to freeze rsETH markets on both V3 and V4.<\/p>\n Aave founder Stani Kulechov said<\/a> \u201cRsETH has been frozen on Aave V3 and V4\u201d and added that the asset no longer has borrowing power because of the Kelp DAO bridge exploit. Historical data from Aavescan showed<\/a> more than $10 billion left Aave after the attack, with total supplied funds falling to $35.7 billion from $45.8 billion.<\/p>\n\n
Attack centered on node access and message forgery<\/strong><\/h1>\n
Aave outflows and DeFi pressure follow exploit<\/strong><\/h2>\n