BEARISH 📉 : Crypto community blasts LayerZero after $290M KelpDAO hack, rejects multi-DVN fix

LayerZero blamed KelpDAO’s 1‑of‑1 verifier for a $290M rsETH drain via its bridge. Builders pushed back, saying the failure stemmed from compromised DVN RPCs, not user misconfig.

Two days after the hack, LayerZero called it a “highly sophisticated” crypto infrastructure attack and attributed it to North Korea’s Lazarus Group, adding there was “zero contagion” to other apps. The company said attackers poisoned downstream RPCs used by a LayerZero Labs DVN, swapped binaries to forge messages, and used DDoS to force failover to tainted nodes, leading the DVN to confirm fake transactions.

LayerZero placed responsibility on KelpDAO’s single‑DVN setup and urged migrating 1‑of‑1 configurations to multi‑DVN. The firm said the incident was isolated to Kelp’s rsETH configuration. Source.

The exploit, at $290M, eclipsed recent hits and followed the $285M Drift Protocol incident on Solana. Context.

Criticism mounted. “Bridge collapsed… you said it’s their fault,” wrote Saint, calling it “zero accountability.” Post.

Others questioned why a 1‑of‑1 option exists if DVNs are meant to harden security. “If the system allows this option… it’s a fundamental design flaw,” wrote Ditto, adding DVN RPC compromise is on LayerZero. Post.

Chainlink community manager Zach Rynes accused LayerZero of deflecting responsibility for its own DVN node being compromised and “throwing KelpDAO under the bus.” Post.

Yearn’s Artem K warned bridges shouldn’t be re‑enabled yet, noting the post describes an RPC compromise without detailing the breach path. Post.

Analyst The Smart Ape said the fix is misdiagnosed. Multiple DVNs won’t help if they share the same few RPC providers; poisoning those can trick all verifiers at once. He argued each verifier should run its own full node on different client software and clouds, peered to different parts of the Ethereum network. “Lazarus didn’t break cryptography… They broke three servers.” Post.

Headline: LayerZero pins $290M KelpDAO hack on 1‑of‑1 DVN; builders fault DVN RPCs, question multi‑DVN “fix”