LayerZero has positioned accountability for the $290 million Kelp DAO exploit on Kelp’s personal safety configuration, saying the liquid restaking protocol ran a single-verifier setup that LayerZero had beforehand warned in opposition to.
The assault used a novel vector concentrating on the infrastructure layer relatively than any protocol code.
Attackers, whom LayerZero attributed with preliminary confidence to North Korea’s Lazarus Group and its TraderTraitor subunit, compromised two of the distant process name (RPC) nodes that LayerZero’s verifier relied on to substantiate cross-chain transactions.
RPC nodes are the servers that permit software program learn and write information on a blockchain, and LayerZero’s verifier used a mixture of inner and exterior ones for redundancy.
The attackers swapped the binary software program operating on two of these nodes with malicious variations designed to inform LayerZero’s verifier {that a} fraudulent transaction had occurred, whereas persevering with to report correct information to each different system querying those self same nodes.
That selective mendacity was engineered to maintain the assault invisible to LayerZero’s personal monitoring infrastructure, which queries the identical RPCs from totally different IP addresses.
Compromising two nodes was not sufficient. LayerZero’s verifier additionally queried uncompromised exterior RPC nodes, so the attackers ran a distributed denial-of-service assault on these to pressure failover to the poisoned ones.
Visitors logs LayerZero shared present the DDoS operating between 10:20 a.m. and 11:40 a.m. Pacific Time on Saturday. As soon as the failover triggered, the compromised nodes advised the verifier a legitimate cross-chain message had arrived, and Kelp’s bridge launched 116,500 rsETH to the attackers. The malicious node software program then self-destructed, wiping binaries and native logs.
The assault solely labored as a result of Kelp ran a 1-of-1 verifier configuration, which means LayerZero Labs was the only entity verifying messages to and from the rsETH bridge.
LayerZero’s public integration guidelines and direct communications to Kelp had really useful a multi-verifier setup with redundancy, the place consensus throughout a number of impartial verifiers could be required to substantiate a message. Beneath that configuration, poisoning one verifier’s information feed wouldn’t have been sufficient to forge a legitimate message.
“KelpDAO selected to make the most of a 1/1 DVN configuration,” LayerZero wrote, utilizing the protocol’s time period for decentralized verifier networks. “A correctly hardened configuration would have required consensus throughout a number of impartial DVNs, rendering this assault ineffective even within the occasion of any single DVN being compromised.”
LayerZero stated it has confirmed zero contagion to another utility on the protocol. Each OFT-standard token and utility operating multi-verifier setups was unaffected.
The LayerZero Labs verifier is again on-line, and the corporate stated it’ll not signal messages for any utility operating a 1-of-1 configuration, forcing a protocol-wide migration off single-verifier setups.
The architectural distinction issues for the way DeFi costs LayerZero danger going ahead.
A protocol-level bug would have implied each OFT token on each chain was doubtlessly in danger. Nonetheless, a configuration failure by a single integrator, mixed with a focused infrastructure assault, implies the protocol labored as designed and that Kelp’s safety selections, not LayerZero’s code, created the opening.
Kelp has not but publicly responded to LayerZero’s framing or addressed why it operated a 1-of-1 verifier setup regardless of the specific suggestions in opposition to it.
Lazarus Group has been linked to the Drift Protocol exploit on April 1 and now Kelp on April 18, which means the identical North Korean unit has drained greater than $575 million from DeFi in 18 days by two structurally totally different assault vectors: social engineering governance signers at Drift and poisoning infrastructure RPCs at Kelp.
The group is adapting its playbook sooner than DeFi protocols are hardening their defenses.
