LayerZero 將 2.9 億美元的漏洞攻擊歸咎於 Kelp 的設定，並將其歸因於北韓的 Lazarus

📄完整原文· 由 trafilatura 自動擷取5455 字

LayerZero blames Kelp's setup for $290 million exploit, attributes it to North Korea's Lazarus LayerZero said the attackers compromised two RPC nodes the company's verifier relied on and DDoS'd the rest, with the attack working only because Kelp had ignored multi-verifier recommendations. What to know: - LayerZero blamed the $290 million Kelp DAO exploit on Kelp's decision to use a single-verifier configuration, despite prior warnings to adopt a multi-verifier setup. - Attackers, whom LayerZero preliminarily linked to North Korea's Lazarus Group, compromised two RPC nodes and used a DDoS attack to force failover, tricking LayerZero's verifier into approving a fraudulent cross-chain transaction. - LayerZero said the incident stemmed from Kelp's security choices rather than a protocol-level bug, has found no contagion to other applications, and will no longer sign messages for any project using a 1-of-1 verifier configuration. LayerZero has placed responsibility for the $290 million Kelp DAO exploit on Kelp's own security configuration, saying the liquid restaking protocol ran a single-verifier setup that LayerZero had previously warned against. The attack used a novel vector targeting the infrastructure layer rather than any protocol code. Attackers, whom LayerZero attributed with preliminary confidence to North Korea's Lazarus Group and its TraderTraitor subunit, compromised two of the remote procedure call (RPC) nodes that LayerZero's verifier relied on to confirm cross-chain transactions. RPC nodes are the servers that let software read and write data on a blockchain, and LayerZero's verifier used a mix of internal and external ones for redundancy. The attackers swapped the binary software running on two of those nodes with malicious versions designed to tell LayerZero's verifier that a fraudulent transaction had occurred, while continuing to report accurate data to every other system querying those same nodes. That selective lying was engineered to keep the attack invisible to LayerZero's own monitoring infrastructure, which queries the same RPCs from different IP addresses. Compromising two nodes was not enough. LayerZero's verifier also queried uncompromised external RPC nodes, so the attackers ran a distributed denial-of-service attack on those to force failover to the poisoned ones. Traffic logs LayerZero shared show the DDoS running between 10:20 a.m. and 11:40 a.m. Pacific Time on Saturday. Once the failover triggered, the compromised nodes told the verifier a valid cross-chain message had arrived, and Kelp's bridge released 116,500 rsETH to the attackers. The malicious node software then self-destructed, wiping binaries and local logs. The attack only worked because Kelp ran a 1-of-1 verifier configuration, meaning LayerZero Labs was the sole entity verifying messages to and from the rsETH bridge. LayerZero's public integration checklist and direct communications to Kelp had recommended a multi-verifier setup with redundancy, where consensus across several independent verifiers would be required to confirm a message. Under that configuration, poisoning one verifier's data feed would not have been enough to forge a valid message. "KelpDAO chose to utilize a 1/1 DVN configuration," LayerZero wrote, using the protocol's term for decentralized verifier networks. "A properly hardened configuration would have required consensus across multiple independent DVNs, rendering this attack ineffective even in the event of any single DVN being compromised." LayerZero said it has confirmed zero contagion to any other application on the protocol. Every OFT-standard token and application running multi-verifier setups was unaffected. The LayerZero Labs verifier is back online, and the company said it will no longer sign messages for any application running a 1-of-1 configuration, forcing a protocol-wide migration off single-verifier setups. The architectural distinction matters for how DeFi prices LayerZero risk going forward. A protocol-level bug would have implied every OFT token on every chain was potentially at risk. However, a configuration failure by a single integrator, combined with a targeted infrastructure attack, implies the protocol worked as designed and that Kelp's security choices, not LayerZero's code, created the opening. Kelp has not yet publicly responded to LayerZero's framing or addressed why it operated a 1-of-1 verifier setup despite the explicit recommendations against it. Lazarus Group has been linked to the Drift Protocol exploit on April 1 and now Kelp on April 18, meaning the same North Korean unit has drained more than $575 million from DeFi in 18 days through two structurally different attack vectors: social engineering governance signers at Drift and poisoning infrastructure RPCs at Kelp. The group is adapting its playbook faster than DeFi protocols are hardening their defenses. More For You Breach tied to compromised AI tool may have exposed credentials used by app frontends, the user-facing layer that connects web3 wallets and trading interfaces to backend services. What to know: - Web infrastructure provider Vercel disclosed a security breach that may have exposed customer API keys, prompting crypto projects to rotate credentials and review their code. - Vercel traced the intrusion to a compromised Google Workspace connection via third-party AI tool Context.ai, but said environment variables marked as sensitive are stored in...

資料狀態✓ 已擷取全文閱讀原文（CoinDesk）

🔍歷史類似事件· 關鍵字 + 標的比對6 則

2026-04-22

北韓與 4 月份 Kelp DAO 遭駭後價值 5.78 億美元的竊案有關

相似度 230%關鍵字 korea/north/exploit

2026-04-20

LayerZero 將 2.92 億美元的 KelpDAO 橋接駭客攻擊歸咎於北韓的 Lazarus Group

相似度 230%關鍵字 korea/north/layerzero

2026-04-20

LayerZero 表示 Kelp 的設定導致了漏洞利用，Aave 的損失疑慮隨之增加

相似度 230%關鍵字 layerzero/exploit/setup

2026-04-20

LayerZero 表示 Kelp 的設定導致了漏洞利用，Aave 的損失引發各界質疑

相似度 230%關鍵字 layerzero/exploit/setup

2026-04-22

Kelp DAO 遭駭 2.92 億美元一事顯示，為何 crypto bridges 仍是該產業最脆弱的環節之一

相似度 180%關鍵字 million/exploit/kelp

2026-04-22

交易員認為 Kelp 不會分攤 2.92 億美元遭駭後的損失

相似度 180%關鍵字 million/exploit/kelp

💡 目前用關鍵字 + 標的比對（MVP）· 之後會升級為 embedding 語意搜尋

原始資訊

ID：57d0cc46dd

來源：CoinDesk

發佈：2026-04-20 04:01:57

分類：一般 · 導出分類 neutral

標的：未指定

社群投票：+0 / −0 · ⭐ 0 重要 · 💬 0 留言