coin-img-ETHETH-0.95%coin-img-BTCBTC-0.37%coin-img-SOLSOL+0.95%coin-img-BITKBITK+0.00%coin-img-SOULCORESOULCORE-27.80%coin-img-HYPEHYPE+18.13%coin-img-XRPXRP-0.36%coin-img-USDCUSDC-0.01%coin-img-ETHETH-0.95%coin-img-BTCBTC-0.37%coin-img-SOLSOL+0.95%coin-img-BITKBITK+0.00%coin-img-SOULCORESOULCORE-27.80%coin-img-HYPEHYPE+18.13%coin-img-XRPXRP-0.36%coin-img-USDCUSDC-0.01%coin-img-ETHETH-0.95%coin-img-BTCBTC-0.37%coin-img-SOLSOL+0.95%coin-img-BITKBITK+0.00%coin-img-SOULCORESOULCORE-27.80%coin-img-HYPEHYPE+18.13%coin-img-XRPXRP-0.36%coin-img-USDCUSDC-0.01%coin-img-ETHETH-0.95%coin-img-BTCBTC-0.37%coin-img-SOLSOL+0.95%coin-img-BITKBITK+0.00%coin-img-SOULCORESOULCORE-27.80%coin-img-HYPEHYPE+18.13%coin-img-XRPXRP-0.36%coin-img-USDCUSDC-0.01%

LayerZero Details $292M rsETH Bridge Exploit, Blames TraderTraitor Intrusion

LayerZero has published a joint postmortem with Mandiant and CrowdStrike on the April 18 rsETH bridge exploit that drained 116,500 rsETH, valued at roughly $292 million. The report attributes the incident to DPRK-linked actor TraderTraitor (also tracked as UNC4899), which allegedly gained access by compromising a LayerZero Labs developer account in March. LayerZero said the attacker extracted session keys, entered its RPC cloud environment, and deployed malicious software that altered the in-memory behavior of internal RPC nodes. LayerZero noted the tampered nodes continued returning normal-looking results to monitoring systems, while feeding manipulated responses to its Decentralized Verifier Networks (DVNs), which validate cross-chain messages. To widen the impact, the threat actor also launched a denial-of-service attack on an external RPC provider, pushing LayerZero's signing service to rely on two internal nodes that were already compromised. Investigators said the forged cross-chain message ultimately received a valid attestation under the system's configuration, allowing the KelpDAO rsETH bridge to release the funds. LayerZero said the affected OApp was operating with a single-verifier setup at the time, meaning there was no second independent DVN to review the message. The destination contract accepted the lone attestation and unlocked the rsETH. LayerZero added that it found no evidence of compromise affecting other OApps, channels, or transactions. In response, LayerZero said it has changed DVN channel security handling and will no longer allow its DVN to sign as the only required attestor. The company also rebuilt the impacted cloud environment rather than patching it, deploying hardened configurations and removing legacy credentials. Additional controls introduced include short-lived credentials, multi-person approvals for administrative access changes, and expanded device and session validation checks. LayerZero said CrowdStrike, Mandiant, and zeroShadow remain engaged in the investigation alongside law enforcement agencies.
Selected
STG
STG+1.69%
Disclaimer: The content above is only the author's opinion and does not represent BingX’s stance. It shall not be construed as investment advice from BingX. For details, refer to the Terms and Conditions.