KelpDAO Incident Statement
Contents
On April 18, 2026, KelpDAO was exploited for approximately $290M. Preliminary indicators suggest attribution to a highly-sophisticated state actor, likely DPRK’s Lazarus Group, more specifically TraderTraitor. This incident was isolated to KelpDAO’s rsETH configuration as a direct consequence of their single-DVN setup. There is zero contagion to any other cross-chain assets or applications.
The subject of this highly-sophisticated attack was the poisoning of the downstream RPC infrastructure used by the LayerZero Labs DVN. All affected RPC nodes have been deprecated and replaced, and the LayerZero Labs DVN is now live.
We share these details to help the community better understand and guard against this emerging type of state-sponsored attack vector.
Background: LayerZero's Modular Security Architecture
The LayerZero protocol is built on a foundation of modular, application-configurable security. Decentralized Verifier Networks (DVNs) are independent entities responsible for verifying the integrity of cross-chain messages. Critically, the protocol does not prescribe a single security configuration. Instead, …
The subject of this highly-sophisticated attack was the poisoning of the downstream RPC infrastructure used by the LayerZero Labs DVN. All affected RPC nodes have been deprecated and replaced, and the LayerZero Labs DVN is now live.
We share these details to help the community better understand and guard against this emerging type of state-sponsored attack vector.
Background: LayerZero's Modular Security Architecture
The LayerZero protocol is built on a foundation of modular, application-configurable security. Decentralized Verifier Networks (DVNs) are independent entities responsible for verifying the integrity of cross-chain messages. Critically, the protocol does not prescribe a single security configuration. Instead, …