Executive summary
LayerZero Labs has published a full incident report for the April 18, 2026 KelpDAO rsETH exploit. The headline finding is that the attack did not begin on-chain. It began on 6 March 2026, with the social engineering of a LayerZero Labs developer, the theft of session keys, and a methodical pivot into LayerZero's internal RPC cloud infrastructure.
By the time the attacker executed the on-chain drain, releasing 116,500 rsETH worth roughly $292 million, the groundwork had been laid over six weeks. The DVN that attested to the forged message was operating on compromised internal RPC nodes. The monitoring tools were seeing clean data. The exploit itself was the last step in a much longer operation.
How the attack unfolded
The LayerZero Labs incident report attributes the initial access to TraderTraitor/UNC4899, a DPRK-linked threat group. A developer was socially engineered on 6 March, and their session keys were harvested. The attacker used those credentials to access LayerZero's RPC cloud environment over the following six weeks.
Inside the environment, the attacker patched running RPC memory on internal nodes. The patch was selective: monitoring tools received correct responses, while the LayerZero Labs DVN received tampered responses designed to support a forged cross-chain message. This bifurcation is the technically significant detail, the attack was designed to be invisible to the systems watching for it.
On 18 April, the attacker executed a denial-of-service attack against an external RPC provider. That forced the DVN signing service to fall back onto the two compromised internal nodes. With no clean external data to check against, the DVN signed the forged message. KelpDAO's bridge contract, configured to require just one DVN attestation, accepted it and released the funds.
The full failure chain
The earlier public narrative identified a 1-of-1 DVN setup and a forged message. The official report adds the operational path that made those things possible:
- Identity and session control: a developer was socially engineered and session keys were stolen.
- Cloud access and lateral movement: the attacker pivoted into LayerZero's RPC cloud environment using harvested credentials.
- RPC integrity: running memory was patched to produce bifurcated responses, correct to monitoring, tampered to the DVN.
- Monitoring gap: because the monitoring layer received clean data, no alert fired during the six-week preparation period.
- Verifier redundancy gap: KelpDAO's route accepted a single LayerZero Labs DVN attestation, so one compromised attestation was sufficient.
- Bridge execution: the destination contract released 116,500 rsETH on the strength of that one accepted message.
LayerZero states that the protocol itself was not breached and that no other OApps, channels, or transactions were compromised. The affected path was LayerZero Labs' own operational infrastructure and KelpDAO's single-verifier bridge configuration.
Timeline
| Date | Event |
|---|---|
| 6 March 2026 | LayerZero developer socially engineered; session keys harvested. |
| 6 March – 17 April | Attacker pivots into RPC cloud environment; prepares poisoned internal nodes. |
| 18 April 2026 | DoS attack against external RPC forces DVN signing service onto compromised internal nodes. |
| 18 April, 17:35 UTC | Drain transaction releases 116,500 rsETH through the KelpDAO rsETH bridge. |
| Post-incident | LayerZero rebuilds affected cloud environment; changes DVN signing policy; retains zeroShadow for tracking and seizure efforts. |
Accountability and the public dispute
LayerZero's earlier statement emphasised KelpDAO's single-DVN configuration as the enabling factor, and said the LayerZero protocol, DVN code, and key management were not breached. KelpDAO pushed back, arguing the exploit originated on LayerZero Labs' own infrastructure, and announced migration to Chainlink CCIP.
The full report is more direct. LayerZero now acknowledges that a developer was socially engineered, that session keys were stolen, that RPC cloud infrastructure was accessed, and that the affected environment was rebuilt rather than patched. Both sides of the accountability picture are now explicit: KelpDAO's single-verifier route made one forged attestation sufficient, and LayerZero's operational infrastructure was manipulated to produce that attestation. Neither fact cancels the other.
What changed after the incident
LayerZero says the LayerZero Labs DVN will now enforce a baseline security configuration on every channel it participates in, and will refuse to act as the sole required attestor on any channel. The affected cloud environment was replaced, not patched, using hardened baselines with no legacy credentials, no carried-over service accounts, just-in-time privileged elevation, multi-person review for IAM changes, and mandatory device and session validation for administrative requests.
These mitigations map directly to the failure chain. The verifier path needed independent redundancy. The infrastructure path needed stronger controls around session keys, cloud access, RPC integrity, failover logic, and administrative changes.
Six lessons for Web3 security teams
1. Observation-layer integrity is part of bridge security. A bridge can execute valid on-chain calls while its off-chain observation layer has been compromised. The DVN here accepted tampered RPC responses and attested to a forged message. Monitoring tools that only check whether services appear healthy will miss this class of attack.
2. Single-verifier routes are unacceptable for major value. A 1-of-1 verifier path means no independent source can reject a forged message. For high-value routes, verifier redundancy is a security control, not an availability feature.
3. RPC failover logic is an attack surface. The DoS against the external provider was not incidental, it was the mechanism that forced the DVN onto compromised nodes. Failover logic should be threat-modelled as part of the security boundary.
4. Monitoring must verify the observer, not just the output. The poisoned RPC nodes returned clean data to monitoring and tampered data to the DVN. Effective monitoring checks source diversity and cross-provider consistency, not only whether individual services appear healthy.
5. Session keys and cloud access are bridge-critical assets. The initial breach was not a Solidity bug. It was social engineering and credential theft. For bridge infrastructure, identity controls, device posture, and just-in-time access policies are directly tied to fund safety.
6. Collateral exposure amplifies bridge failures. The stolen rsETH was used across Aave, Compound, Euler, and other lending protocols. Bridge security failures do not remain isolated when the bridged asset is accepted as collateral across DeFi.
Closing analysis
The KelpDAO incident is now a more complete and more useful case study than the early reporting suggested. It was not just a bridge message issue. It was not just an application configuration issue. The exploit crossed social engineering, cloud infrastructure access, RPC integrity manipulation, verifier redundancy failure, and bridge execution, with downstream exposure across multiple DeFi lending markets.
The practical lesson: if a protocol depends on off-chain observers, RPC providers, operators, or signers, those components are part of the asset custody path. The attacker does not need to break the smart contract if they can make the contract receive a valid-looking lie.