$290 Million Kelp DAO Crypto Heist Blamed on North Korea

North Korea-linked Lazarus Group has been blamed for a $290 million cryptocurrency heist from the Kelp DAO DeFi protocol.

The attack occurred at 17:35 UTC on Sunday, when the attackers delivered a malicious instruction to drain 116,500 rsETH (restaked ether), worth roughly $292 million.

Following the heist, Kelp paused relevant contracts and blacklisted the attackers’ wallet, which resulted in a second attack that targeted an additional 40,000 rsETH (worth roughly $95 million) being blocked.

A liquid restaking protocol, Kelp DAO routes user-deposited ETH through the restaking protocol EigenLayer to earn additional rewards, and issues rsETH.

Kelp DAO relies on a ‘1-of-1 verifier configuration’ to validate instructions, and the attackers targeted it to poison the verification process and drain funds.

For that, they targeted LayerZero, the cross-chain messaging infrastructure that allows blockchains to send verified instructions.

LayerZero’s Decentralized Verifier Network (DVN) relies on multiple RPCs (Remote Procedure Calls) to check the integrity of cross-chain instructions, and the hackers managed to compromise and poison two of them.

“They used this pivot point to execute an RPC-spoofing attack. Their malicious node used a custom payload designed explicitly to forge a message to the DVN with minimal warnings,” LayerZero says.

The attackers then launched a distributed denial-of-service (DDoS) attack against the remaining RPCs, triggering a failover to the poisoned ones and allowing the hackers’ malicious instructions to pass as valid.

LayerZero says the heist was the result of a highly sophisticated attack likely mounted by TraderTraitor, a subgroup within the infamous North Korean APT Lazarus Group that has been blamed for multiple cryptocurrency heists over the past several years.

According to LayerZero, the heist could have been prevented had Kelp DAO implemented a multi-DVN setup, which is industry best practice.

“This means no single DVN should represent a unilateral point of trust or failure,” LayerZero says, noting it has previously recommended Kelp DAO migrate from its single-DVN configuration.

“LayerZero and other external parties previously communicated best practices around DVN diversification to KelpDAO. Despite these recommendations, KelpDAO chose to utilize a 1/1 DVN configuration,” it says.

Kelp DAO, on the other hand, blames LayerZero for the snafu, saying its systems were not operating the targeted infrastructure and pointing out that the single-DVN setup is the configuration documented by LayerZero.

“Kelp has operated on LayerZero infrastructure since January 2024 and has maintained an open communication channel with the LayerZero team throughout. The question of DVN configuration came up during Kelp’s L2 expansion, and defaults were affirmatively confirmed as appropriate at that time,” it notes.

Kelp says it is currently prioritizing preventing contagion across DeFi. Several partners, such as Arbitrum Security Council, immediately froze assets in addresses connected to the heist.

Despite that, the impact of the incident appears to be broad. In the fallout, decentralized non-custodial liquidity protocol Aave registered a nearly $8 billion drop in total value.

According to Binance, the hackers deposited the stolen funds into Aave v3 as collateral and borrowed wrapped Ether, thus creating $195 million in debt on Aave. As users rushed to withdraw assets, Aave v3 lending pools reached full utilization, blocking over $5.1 billion in stablecoins.

Related: North Korean Hackers Drain $285 Million From Drift in 10 Seconds

Related: International Operation Targets Multimillion-Dollar Crypto Theft Schemes

Related: US Charges Uranium Crypto Exchange Hacker

Related: Shai-Hulud Supply Chain Attack Led to $8.5 Million Trust Wallet Heist