LayerZero Releases rsETH Exploit Incident Report: Full Reconstruction of Affected Infrastructure, Security Configuration Enhancement

BlockBeats News, May 20th, LayerZero releases rsETH exploit incident report: The KelpDAO rsETH bridge, built on LayerZero's cross-chain messaging protocol, was attacked on April 18th, resulting in approximately 116,500 rsETH (worth around $292 million) being stolen. Multiple security firms attributed this attack to the North Korean hacker group TraderTraitor (UNC4899). The attack did not impact the LayerZero protocol itself or other OApps, but specifically targeted KelpDAO's single-validator setup bridge.

The attack began on March 6th, with the attacker using social engineering to obtain LayerZero Labs developers' session keys, infiltrate their RPC cloud environment, and poison internal RPC nodes. These nodes were injected with a memory patch to provide normal responses to monitoring tools but present tampered blockchain state information to LayerZero Labs' DVN (Decentralized Validator Network). Subsequently, the attacker initiated a DoS attack on external RPC providers, forcing the DVN to rely solely on the compromised internal nodes, ultimately generating valid proofs for forged cross-chain messages. Due to KelpDAO's single-validator setup, the target contract accepted the sole proof and unlocked the rsETH.

Following the incident, LayerZero Labs took several measures:

Altered operational stance, mandating that channels engaged by its DVN meet minimum security configurations (rejecting signatures as the sole validator);

Completely rebuilt the affected infrastructure, adopting a zero-trust architecture and real-time privilege escalation mechanisms;

Continued collaborating with ecosystem partners to enhance security configurations. Simultaneously cooperating with law enforcement and security firms in the investigation, attribution, and fund tracing.