LayerZero is holding Kelp DAO responsible for the $290 million exploit, stating the liquid restaking protocol's security configuration was the critical vulnerability. The attack targeted the infrastructure layer, compromising two of LayerZero's verifier RPC nodes while disabling others via a DDoS attack.
LayerZero asserts that attackers, preliminarily identified as North Korea's Lazarus Group, manipulated RPC nodes to falsely confirm cross-chain transactions. This exploit was only possible because Kelp DAO reportedly ignored LayerZero's recommendations for a multi-verifier setup, opting instead for a single-verifier configuration.
LayerZero confirmed no other applications on its protocol were affected, particularly those utilizing multi-verifier architectures. The company has ceased signing messages for any application using a 1-of-1 configuration, mandating a shift to more robust security measures across the ecosystem.
This incident, along with a previous exploit, suggests a rapid adaptation by Lazarus Group in exploiting DeFi vulnerabilities, draining over $575 million in less than three weeks.