How Hackers Stole $293M from KelpDAO: The Attack Exploiting a Single Weak Node
Hackers stole nearly $300 million by exploiting the fact that KelpDAO entrusted its entire security to a single technical node. This was not a breach of the LayerZero protocol itself — but rather a misconfiguration by one of its users. Yet the consequences rippled across the DeFi ecosystem: investors rushed to withdraw funds, and the market once again questioned how trustworthy cross-chain bridges really are.
Why One Node Is Like One Door to a Bank
Imagine building a safe for your money. Instead of installing three locks from different manufacturers, you install just one — and hand the key to your neighbor. If your neighbor is compromised or makes a mistake, your safe gets opened. That’s exactly how KelpDAO’s security system worked.
The LayerZero protocol enables different blockchains to “talk” to each other — for example, transferring tokens from Ethereum to Solana. To do this, it relies on so-called “verifier nodes.” Ideally, there should be multiple, independent verifiers distributed across separate servers. If one lies, the others override it.
But KelpDAO used only one such verifier — the one provided directly by LayerZero. This violated the fundamental principle of “don’t put all your eggs in one basket.” And hackers seized that opportunity.
How the Attack Unfolded: Lies, DDoS, and Vanishing Traces
The investigation revealed that the attackers operated like professional spies:
- First, they gained access to the list of servers (RPC nodes) LayerZero uses for communication.
- Then, they compromised two independent servers hosted on different providers and deployed malicious software on them.
- Next, those servers began sending the system a forged message: “Here’s the token transfer,” even though no actual transfer had occurred.
- To ensure the system would route requests exclusively to these servers, the hackers launched a DDoS attack against all other nodes — flooding them with fake requests and triggering overload.
- The system automatically failed over to the “quiet” and “responsive” compromised servers — and accepted their lie as truth.
- Finally, the attackers erased everything: logs, configurations, and the malicious code itself. No traces remained.
As a result, the hackers acquired 116,500 rsETH tokens (Restaked ETH) — a kind of “enhanced” version of ETH used in restaking systems. They then deposited these tokens as collateral on Aave V3 and borrowed wETH. Aave accepted the collateral as legitimate, even though the underlying asset had already been stolen. This created unbacked debt — and triggered panic among users.
North Korea? Possibly — But No Evidence Yet
The LayerZero team stated the attack was likely carried out by the Lazarus Group — a well-known hacker organization based in North Korea. Its subunit, TraderTraitor, specializes in cryptocurrency theft. However, analysts emphasize: there is no direct evidence linking Lazarus to this incident. The attribution is based solely on attack patterns and obfuscation techniques.
Crucially: even if Lazarus was involved, the vulnerability did not stem from LayerZero’s code — but from KelpDAO’s configuration. The protocol itself was never hacked; it was simply misused.
Key Takeaways
- KelpDAO relied on only one verifier node, violating a foundational DeFi security principle.
- Hackers executed a multi-stage attack: server compromise + DDoS + data spoofing + trace elimination.
- 116,500 rsETH were stolen, equivalent to ~$293 million at market price.
- The attack did not affect other LayerZero projects — the issue was local, yet it triggered systemic fear.
- LayerZero has since recovered, but trust in cross-chain bridges remains temporarily shaken.
What This Means for Everyday Users
If you hold funds in DeFi protocols — especially new or lesser-known ones — it’s worth checking: how decentralized is their security model? Do they use multiple independent verification sources? Most major platforms now do this correctly — but not all.
Moreover, attacks like this remind us: even when the underlying technology works flawlessly, human error — in configuration, parameter selection, or operational judgment — can still break everything. The crypto market is maturing — but risks persist, especially where teams rush to deploy new features without rigorously validating fundamentals.
— Editorial Team