{"id":72277,"date":"2026-05-09T15:42:40","date_gmt":"2026-05-09T15:42:40","guid":{"rendered":"https:\/\/crowdfundjunction.com\/blog\/layerzero-discloses-rpc-poisoning-incident-linked-to-292m-kelpdao-hack\/"},"modified":"2026-05-09T15:42:40","modified_gmt":"2026-05-09T15:42:40","slug":"layerzero-discloses-rpc-poisoning-incident-linked-to-292m-kelpdao-hack","status":"publish","type":"post","link":"https:\/\/crowdfundjunction.com\/blog\/layerzero-discloses-rpc-poisoning-incident-linked-to-292m-kelpdao-hack\/","title":{"rendered":"Layerzero Discloses RPC Poisoning Incident Linked to $292M KelpDAO Hack"},"content":{"rendered":"<p><b>(Originally posted on : Bitcoin News )<\/b><br \/>\n<\/p>\n<div>\n<div class=\"@container mb-[25px] rounded-sm overflow-clip py-0.5 pr-0.5 pl-2.5 bg-success-100\">\n<div class=\"flex flex-col gap-m overflow-clip rounded-[6px] !bg-success-10 p-3 @[420px]:p-m\">\n<h2 class=\"m-0 flex items-center gap-s text-[19px] !text-[#1c1c1c] md:text-[20px]\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"16\" height=\"10\" viewbox=\"0 0 16 10\" fill=\"none\" class=\"shrink-0 text-success-100\" aria-hidden=\"true\"><path d=\"M1 1.5h14\" stroke=\"currentColor\" stroke-width=\"2.5\" stroke-linecap=\"round\"\/><path d=\"M1 8.5h10\" stroke=\"currentColor\" stroke-width=\"2.5\" stroke-linecap=\"round\"\/><\/svg><span>Key Takeaways<\/span><\/h2>\n<ul class=\"m-0 flex list-none flex-col gap-m pl-0\">\n<li class=\"m-0 flex items-start gap-s !text-[#434248]\"><span class=\"mt-2 size-2 shrink-0 rounded-full bg-success-100\" aria-hidden=\"true\"\/><span class=\"text-body\">Lazarus Group attacked Layerzero Labs internal RPCs and poisoned data sources in order to attack the KelpDAO DeFi project.<\/span><\/li>\n<li class=\"m-0 flex items-start gap-s !text-[#434248]\"><span class=\"mt-2 size-2 shrink-0 rounded-full bg-success-100\" aria-hidden=\"true\"\/><span class=\"text-body\">The security breach impacted 0.14% of applications and roughly 0.36% of asset value associated with Layerzero.<\/span><\/li>\n<li class=\"m-0 flex items-start gap-s !text-[#434248]\"><span class=\"mt-2 size-2 shrink-0 rounded-full bg-success-100\" aria-hidden=\"true\"\/><span class=\"text-body\">Layerzero Labs is migrating all defaults to a 5\/5 DVN setup to improve cross-chain security.<\/span><\/li>\n<\/ul>\n<\/div>\n<\/div>\n<h2>Layerzero Labs Apologizes for Lazarus Group Security Breach Response<\/h2>\n<p>Layerzero Labs issued a <a href=\"https:\/\/layerzero.network\/blog\/an-overdue-apology\" target=\"_blank\" rel=\"noopener noreferrer\">candid apology<\/a> for a three-week communication silence following a security breach involving the <a href=\"https:\/\/news.bitcoin.com\/lazarus-group-suspected-of-moving-175m-in-eth-after-arbitrum-freezes-71m-from-kelpdao-exploit\/\">Lazarus Group<\/a>. According to an official update, the attackers poisoned the source of truth for internal Remote Procedure Calls (RPCs) used by the Layerzero Labs Decentralized Verifier Network (DVN).<\/p>\n<p>This sophisticated hit coincided with a Distributed Denial of Service (DDoS) attack against the firm\u2019s external RPC provider. The fallout, according to the report, was contained to a small fraction of the ecosystem. <a href=\"https:\/\/news.bitcoin.com\/layerzero-claims-zero-contagion-after-290m-exploit-as-disputed-narratives-deepen-scrutiny\/\">Layerzero<\/a> noted that the incident impacted a single application, representing 0.14% of total apps and 0.36% of the total value locked on the protocol.<\/p>\n<p>Since April 19, the team detailed that it has been working with external <a href=\"https:\/\/news.bitcoin.com\/digital-asset-security-moves-beyond-keys-as-bitgo-adds-5-layer-checks\/\">security<\/a> partners to finalize a comprehensive post-mortem report. The team further admitted to a significant oversight in allowing their DVN to act as a solo verifier for high-value transactions. Layerzero also acknowledged that they failed to police what their DVN was securing, which created a \u201csingle point of failure\u201d risk.<\/p>\n<p>To rectify this, the lab is now educating developers on safe configurations and will no longer service 1\/1 DVN setups. The disclosure also addressed a bizarre security lapse involving a multisig signer. Three and a half years ago, an individual mistakenly used a multisig hardware wallet for a personal trade.<\/p>\n<p>The signer has since been removed, and the firm has implemented a custom-built multisig solution dubbed \u201cOnesig.\u201d Onesig is designed to prevent unauthorized backend transactions by hashing and merklizing transactions locally on the user\u2019s side. Layerzero noted that it is also increasing its multisig threshold from 3\/5 to 7\/10 across all chains where Onesig is supported.<\/p>\n<p>This move, the firm explained, is part of a broader effort to harden the protocol against future state-sponsored threats. Despite the breach, the protocol emphasized that more than $9 billion in <a href=\"http:\/\/www.bitcoin.com\/get-started\/what-is-trading-volume\/\" class=\"lar_link lar_link_outgoing\" target=\"_blank\" rel=\"noopener noreferrer\">volume<\/a> has moved across the network since April 19. Layerzero stressed that it was built with the thesis that applications should own their security end-to-end to avoid systemic risks.<\/p>\n<p>The architecture has facilitated over $260 billion in total transfers to date, according to the blog post. Moving forward, Layerzero recommends that developers pin their configurations instead of relying on defaults. The team also suggests setting block confirmations to levels where reorganizations are nearly impossible.<\/p>\n<p>The team is currently developing a second DVN client written in Rust to foster client diversity. Additional upgrades include a more robust RPC quorum configuration. This, Layerzero detailed, allows DVNs to select granular quorums across internal and external providers. The team is also launching \u201cConsole,\u201d a unified platform for asset issuers to manage security and monitor for anomalies.<\/p>\n<p>The Layerzero team remains adamant that the underlying protocol remained unaffected by the RPC poisoning. They maintain that the modular design allowed the rest of the $9 billion in recent traffic to stay secure. The admission of a Lazarus Group-linked attack showcases the realism and the persistent threat facing cross-chain infrastructure today. Layerzero\u2019s message follows a few <a href=\"http:\/\/www.bitcoin.com\/get-started\/what-is-defi-decentralized-finance\/\" class=\"lar_link lar_link_outgoing\" target=\"_blank\" rel=\"noopener noreferrer\">DeFi<\/a> projects <a href=\"https:\/\/news.bitcoin.com\/solv-protocol-and-re-switch-to-chainlink-ccip-moving-nearly-1b-away-from-layerzero\/\">choosing<\/a> to <a href=\"http:\/\/www.bitcoin.com\/get-started\/what-is-leverage-in-crypto-trading\/\" class=\"lar_link lar_link_outgoing\" target=\"_blank\" rel=\"noopener noreferrer\">leverage<\/a> <a href=\"https:\/\/news.bitcoin.com\/chainlink-unlocks-onchain-access-to-us-stocks-24-5\/\">Chainlink<\/a>\u2019s CCIP.<\/p>\n<p>Earlier this week, North Korea\u2019s Foreign Ministry (via state media KCNA) <a href=\"http:\/\/kcna.kp\/en\/article\/q\/cf85ca1a3f52cdfafd1364f780df9dc6.kcmsf\" target=\"_blank\" rel=\"noopener noreferrer\">rejected<\/a> U.S. and international claims linking it to <a href=\"http:\/\/www.bitcoin.com\/get-started\/a-quick-introduction-to-crypto\/\" class=\"lar_link lar_link_outgoing\" target=\"_blank\" rel=\"noopener noreferrer\">cryptocurrency<\/a> thefts and cyberattacks. They called the accusations \u201cabsurd slander,\u201d \u201cfalse information,\u201d and a politically motivated smear campaign by the U.S. to tarnish their image.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.bitcoin.com\/layerzero-discloses-rpc-poisoning-incident-linked-to-292m-kelpdao-hack\/\">Source link <\/a><br \/>\n<br \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>(Originally posted on : Bitcoin News ) Key Takeaways Lazarus Group attacked Layerzero Labs internal RPCs and poisoned data sources in order to attack the KelpDAO DeFi project. The security breach impacted 0.14% of applications and roughly 0.36% of asset value associated with Layerzero. Layerzero Labs is migrating all defaults to a 5\/5 DVN setup [&hellip;]<\/p>\n","protected":false},"author":19,"featured_media":72278,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0},"categories":[32],"tags":[],"_links":{"self":[{"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/posts\/72277"}],"collection":[{"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/users\/19"}],"replies":[{"embeddable":true,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/comments?post=72277"}],"version-history":[{"count":0,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/posts\/72277\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/media\/72278"}],"wp:attachment":[{"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/media?parent=72277"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/categories?post=72277"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/tags?post=72277"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}