A sophisticated cyberattack attributed to the Lazarus Group, a notorious North Korean hacking collective, resulted in a $290 million cryptocurrency theft from the Kelp DAO decentralized finance protocol. The heist took place when attackers exploited Kelp DAO's reliance on a single verifier configuration to validate instructions. They specifically targeted LayerZero, the cross-chain messaging infrastructure that facilitates these transactions. By compromising a part of LayerZero's Decentralized Verifier Network, hackers executed a remote procedure call spoofing attack to forge valid instructions, allowing them to drain 116,500 rsETH, equivalent to approximately $292 million.
Upon discovering the breach, Kelp DAO promptly paused the affected contracts and blacklisted the attackers' wallet. This swift action prevented further losses by blocking a subsequent attack that aimed to steal an additional 40,000 rsETH, valued at around $95 million. Despite these efforts, the incident had a widespread impact on the broader decentralized finance ecosystem. Aave, a decentralized non-custodial liquidity protocol, experienced a significant drop in total value, losing nearly $8 billion as users rushed to withdraw assets.
The attack highlights the importance of adopting industry best practices for cross-chain verification processes. According to LayerZero, the breach might have been averted if Kelp DAO had implemented a multi-verifier network setup, which is recommended to avoid single points of failure. Despite previous recommendations from LayerZero, Kelp DAO continued with its single-verifier configuration, which it states was confirmed as appropriate at the time of its Layer 2 expansion. Meanwhile, Kelp DAO has shifted focus to prevent further risks within decentralized finance, collaborating with partners like the Arbitrum Security Council to freeze assets linked to the theft.


