Initial Takeaways on LayerZero DVN Security Incident
Contents
On 2026/04/18 17:35 UTC, threat actors which have been linked to the DPRK with high confidence stole 116,500 rsETH by fraudulently triggering an attestation from the LayerZero DVN, which was configured as the sole validator for the Kelp DAO OApp. Since 2026/04/18 18:34 UTC, SEAL has been actively coordinating incident response efforts alongside Kelp DAO, LayerZero, and other involved parties. As we do not have discretion to disclose any information from the war rooms, we encourage readers to refer to LayerZero’s and Kelp’s statements for context.
While this is still an ongoing incident, and as such facts and circumstances may change, we wanted to share some initial takeaways. We hope to formalize these recommendations in a SEAL Framework once the incident is fully resolved.
What went right
First, it’s worth recognizing that several things went right to mitigate additional damage. Kelp DAO successfully blocked the attacker within an hour (18:23 UTC), preventing additional …
While this is still an ongoing incident, and as such facts and circumstances may change, we wanted to share some initial takeaways. We hope to formalize these recommendations in a SEAL Framework once the incident is fully resolved.
What went right
First, it’s worth recognizing that several things went right to mitigate additional damage. Kelp DAO successfully blocked the attacker within an hour (18:23 UTC), preventing additional …