State-sponsored North Korean hackers may be behind the $290 million crypto-heist that affected the KelpDAO DeFi project on Saturday.
The attack also reportedly affected lending protocols Compound, Euler, and Aave, with the latter announcing a freeze and ban on new deposits or loans using rsETH as collateral.
KelpDAO is a decentralized finance (DeFi) project built around restoring liquidity to the Ethereum network. It accepts user ETH deposits, resets them, and returns a liquid token called ‘rsETH,’ which represents the reset position.
The rsETH token is intended to help users continue to earn a recovery yield, while remaining used in all of DeFi, including cross-chain through LayerZero, a communication protocol between blockchains and a interoperability layer.
On April 18, KelpDAO announced that it had detected “suspicious cross-chain activity” involving rsETH, forcing it to temporarily suspend rsETH contracts across the Ethereum mainnet and L2s.
The project launched an investigation with the help of LayerZero, Unichain, and other partners.
.png)
Blockchain activity showed that about 116,500 rETH was stolen, about $293 million worth of USD, and passed through Tornado Cash to hide the trail.
According to additional details shared by LayerZero today, the attack targeted the verification layer (DVN) used to verify rsETH cross-chain messages.
Specifically, the attackers compromised the RPC nodes used by the verifier, providing false blockchain data, while simultaneously DDoS-ing healthy RPC nodes to force the system to rely on “poisonous” ones.
This allowed a forged cross-chain message to be accepted as valid. The system verified transactions that never happened on the chain and allowed to transfer rsETH without authorization.
Based on the initial examination of the attack indicators, LayerZero believes that the famous Lazarus hackers may be responsible for the robbery.
“Initial indications suggest that a high-level state actor, possibly the DPRK’s Lazarus Group, has been taken over, specifically TraderTraitor,” LayerZero said.
The protocol also noted that the incident was isolated to rsETH and that there was no widespread contagion to other applications or assets.
While the KelpDAO breach accounted for the largest loss so far this year in terms of stolen value, Lazarus Group has also been linked to another major theft, $280 million in Drift Protocol.
According to the autopsy report, the attack was the result of a six-month, carefully planned operation that involved rogue agents who attended conferences and deposited $1 million in the project.
AI has tied four zero days to a single exploit that bypasses both renderer and OS sandboxes. A wave of new exploits is coming.
At the Automated Validation Conference (May 12 & 14), see how autonomous, context-rich validation finds usability, validates controls, and closes the correction loop.
Find Your Place
