LayerZero Publishes rsETH Hack Post-Mortem, Rebuilds Compromised Systems

LayerZero on May 20 published a detailed report on the rsETH exploit involving KelpDAO's rsETH bridge, which is built using LayerZero's cross-chain messaging protocol. The incident, which occurred on April 18, resulted in the theft of about 116,500 rsETH, valued at roughly $292 million. Several security firms have attributed the attack to TraderTraitor (UNC4899), a North Korea-linked hacking group. LayerZero said its core protocol and other OApps were not impacted; the attacker focused on KelpDAO's bridge setup, which relied on a single-validator configuration. According to the report, the intrusion began on March 6, when the attacker used social engineering to obtain a LayerZero Labs developer's session key. From there, the attacker accessed the company's RPC cloud environment and compromised internal RPC nodes. The nodes were modified with memory patches designed to appear normal to monitoring tools while feeding manipulated blockchain state to LayerZero Labs' DVN (Decentralized Verifier Network). The attacker then carried out a DoS attack against external RPC providers, pushing the DVN to depend solely on the compromised internal nodes. That, in turn, enabled the creation of valid proofs for forged cross-chain messages. With KelpDAO's single-verifier configuration, the target contract accepted the lone proof and released rsETH. LayerZero Labs said it has since taken multiple steps, including tightening operational requirements so channels where its DVN participates must meet minimum security standards and cannot rely on the DVN as the sole validator signature. The company also rebuilt the affected infrastructure under a zero-trust architecture with just-in-time privilege escalation, and said it is working with ecosystem partners to continuously improve security configurations. LayerZero added that it is coordinating with law enforcement and security firms to investigate attribution and trace funds.