LayerZero Labs acknowledged a Lazarus Group attack on internal RPCs and a multisig signer’s unauthorized personal trade, impacting 0.36% of assets on the protocol.
LayerZero on Friday issued a public apology for its handling of the April 18 exploit that drained roughly $292 million from Kelp DAO’s rsETH bridge, conceding it should not have allowed its own validator to operate as the sole verifier securing high-value transactions.
In a blog post which begins by stating “first things first: an overdue apology,” the interoperability protocol said its internal RPC nodes — used by the LayerZero Labs Decentralized Verifier Network (DVN) — were compromised by North Korea’s Lazarus Group, which “poisoned” their source of truth, while its external RPC provider was simultaneously hit by a DDoS attack. LayerZero said the underlying protocol itself was not affected.
“We believe developers should choose their own security configurations, but we made a mistake by allowing our DVN to act as a 1/1 DVN for high-value transactions,” the company wrote. “We didn’t police what our DVN was securing, which created a risk we simply didn’t see. We own that.”
The incident impacted a single application — about 0.14% of applications built on LayerZero — and roughly 0.36% of the value of assets across the network, according to the post. LayerZero said more than $9 billion has moved across the protocol since April 19, the day after the exploit.
Previous Finger-Pointing
The apology is a shift from LayerZero’s earlier postmortem, which said the protocol “functioned exactly as intended” and pointed to Kelp’s manual configuration as the root cause. Kelp DAO publicly disputed that account, alleging LayerZero had approved the 1-of-1 DVN setup, and announced it would migrate its bridge infrastructure to Chainlink’s CCIP. Solv Protocol followed days later with plans to move more than $700 million in tokenized bitcoin tech off LayerZero.
LayerZero outlined a series of changes since April 19. The LayerZero Labs DVN no longer services 1/1 DVN configurations. Default settings on all pathways are being migrated to 5/5 where possible, with a minimum of 3/3 on chains where only three DVNs are available — a notable shift given that a recent Dune analysis found 47% of active LayerZero OApps still ran a 1-of-1 setup. The team is also building a second DVN client in Rust for client diversity and has reconfigured RPC quorums to mix internal, dedicated-external, and shared-external nodes.
Unreported Incident
The post also disclosed a separate, previously unreported incident from three and a half years ago, in which a multisig signer used the company’s multisig hardware wallet to execute a personal trade rather than a personal device. LayerZero said the signer was removed, wallets were rotated, and that the company has since added anomaly-detection software to signing devices.
LayerZero said it has built a custom multisig called OneSig and plans to raise its own multisig threshold from 3-of-5 to 7-of-10 across all supported chains. OneSig hashes transactions locally on the signer’s machine to prevent backend tampering, and each signer runs a private anomaly checker. The company said it is also rolling out Console, a platform for asset issuers to configure and monitor deployments, with built-in detection for unknown DVNs, ownership changes and unsafe configurations.
LayerZero said an official post-mortem will be published once its external security partners conclude their work. The hack also left Aave with an estimated $124 million to $230 million in bad debt, and a coalition of DeFi protocols has outlined a technical path to restore rsETH’s backing.
