On April 20th, PANews reported that LayerZero issued a security incident statement on its X platform regarding KelpDAO, stating that KelpDAO had been attacked, resulting in losses of approximately $290 million. Initial indications suggest that the attack may have originated from a highly sophisticated state actor, most likely TraderTraitor, a subsidiary of North Korea's Lazarus Group. Because KelpDAO uses a single DVN setup, this incident is limited to its rsETH configuration and will not affect any other cross-chain assets or applications. This highly sophisticated attack targeted the downstream RPC infrastructure used by LayerZero Labs DVN. The attackers obtained a list of RPCs used by LayerZero Labs DVN, compromised two separate nodes, replaced the op-geth binary, and simultaneously launched a DDoS attack on uninfected RPCs, triggering a failover that allowed DVN to confirm transactions that never occurred. All affected RPC nodes have been deprecated and replaced, and LayerZero Labs DVN is now operational again.

LayerZero emphasizes that the protocol itself functions as expected and is free of vulnerabilities. Industry best practice is to configure multiple DVN redundancy settings; a single point of failure configuration means that no independent validator can capture and reject forged messages. LayerZero Labs states that it is contacting all applications using a 1/1 DVN configuration to migrate to a redundant multi-DVN setup, and LayerZero Labs DVN will not sign or authenticate messages sent by any application using a 1/1 configuration.