LayerZero Identifies Lazarus Group as Perpetrators of Kelp DAO Incident
LayerZero has identified the infamous Lazarus Group, allegedly linked to North Korea, as the likely perpetrator behind the significant Kelp DAO incident that resulted in a staggering loss of approximately $292 million, equating to 116,500 rsETH. In its statement released recently, LayerZero described the assault, which occurred on April 18, as a highly advanced operation, explicitly naming the subgroup ‘TraderTraitor’ as responsible.
Details of the Exploit
The exploit marks a milestone as it is now recognized as the largest decentralized finance (DeFi) exploit of this year. According to LayerZero, the attackers managed to compromise the infrastructure that authenticates cross-chain communications. By doing so, they were able to send fraudulent messages to the network, unlocking tokens on the vulnerable bridge.
The attackers gained access to the RPC node list utilized by LayerZero Labs’ decentralized verified network (DVN), subsequently infecting two nodes to deliver fabricated cross-chain messages. Concurrently, they instigated a Distributed Denial of Service (DDoS) attack against unaffected nodes, forcing the DVN to depend on the compromised nodes. This dual strategy allowed the fraudulent message to circumvent security checks, triggering the release of funds.
Vulnerabilities and Recommendations
LayerZero highlighted that Kelp DAO’s reliance on a singular 1-of-1 DVN configuration, lacking a backup verifier, enabled a critical vulnerability—there was no alternate verifier available to challenge or reject the counterfeit message before it resulted in a token unlock.
The company noted that it had previously advised Kelp DAO on the importance of diversifying their DVN setup to prevent such vulnerabilities. LayerZero has since declared its decision to cease signing messages for applications employing a 1/1 DVN structure.
Impact on the DeFi Sector
The impact of the exploit rippled through the DeFi sector, as the attacker quickly moved the looted rsETH to the Aave V3 platform, using this stolen asset as collateral to secure substantial amounts of Wrapped Ether (WETH). This activity raised alarms regarding potential harmful debts on Aave, prompting the platform to halt rsETH transactions across both the V3 and V4 versions. Aave’s founder, Stani Kulechov, confirmed the immediate freeze on rsETH, noting the asset’s removal from the borrowing list due to the bridge failure.
Historical data from Aavescan indicates that over $10 billion exited Aave following the hack, with the total supplied funds plummeting from $45.8 billion to $35.7 billion. The repercussions did not end there; various DeFi projects, including Ethena, ether.fi, Tron DAO, and Curve Finance, chose to suspend their LayerZero OFT bridges as a precaution against the fallout.
DefiLlama’s statistics reflect a notable decline in overall DeFi total value locked, which fell by 7% in just 24 hours, decreasing from $99.5 billion on April 18 to roughly $86.3 billion. However, LayerZero reassured its partners that there is “zero contagion” for other assets or applications that utilize multi-DVN configurations, as investigations by law enforcement agencies to trace the misappropriated funds are ongoing.
