LayerZero has published its comprehensive incident report on the massive April attack on KelpDAO’s rsETH bridge.
According to the report, approximately 116,500 rsETH were stolen in the attack that took place on April 18. The total value of the stolen assets is estimated to be around $292 million. Multiple security companies believe that the North Korea-linked hacker group TraderTraitor (UNC4899) was behind the attack.
According to the company’s statement, the attack did not directly target the LayerZero protocol or other OApps. It only affected the rsETH bridge, which has a single validator configuration for KelpDAO. LayerZero stated that the incident was rooted in an advanced social engineering operation carried out at the infrastructure level.
According to the report, attackers obtained LayerZero Labs developers’ session keys through social engineering methods as of March 6. They then infiltrated the company’s RPC cloud environment and manipulated internal RPC nodes, deploying memory patches. These nodes continued to return normal data to monitoring tools, but provided altered blockchain state information to LayerZero’s DVN (Decentralized Validator Network) system.
Related News Bloomberg Analyst Says There Is Strong Demand for a Spot ETF for a Certain Altcoin
It was also stated that the attackers launched DoS attacks against external RPC providers, thus making the DVN system dependent solely on the compromised internal nodes. This process ultimately generated valid evidence for forged cross-chain messages, and because KelpDAO’s single validator configuration allowed it, the rsETH contract accepted this evidence, releasing the assets.
Following the incident, LayerZero Labs announced significant changes to its security architecture. The company stated that it has mandated minimum security configurations for channels using DVN and will no longer provide signatures as the sole validator. Furthermore, it was noted that the affected infrastructure has been completely rebuilt based on a zero-trust architecture, and instant privilege escalation mechanisms have been implemented.
LayerZero added that they continue to strengthen their security configurations together with their ecosystem partners and are collaborating with law enforcement and security companies to investigate the attack, identify the perpetrator, and track fund movements.
*This is not investment advice.
Leave a Reply