LayerZero Blames KelpDAO Configuration Decision for $290 Million Hack

LayerZero Labs has concluded its investigation into the $290 million KelpDAO exploit, attributing it to a configuration decision made by KelpDAO rather than an underlying issue with its protocol.

The attack used an RPC poisoning technique, which exploited a single point of failure in the Decentralized Verifier Network (DVN) architecture. LayerZero emphasized that its protocol is designed to tolerate multi-verifier setups, minimizing the risk of such failures.

According to LayerZero, KelpDAO implemented a 1-of-1 DVN architecture, which created a single point of failure that attackers exploited with precision. This configuration decision weakened the traditional trade-off on decentralized systems for blockchain-based protocols and allowed attackers to hijack the Remote Procedure Call (RPC) nodes.

The exploit was contained within KelpDAO's rsETH asset and did not affect any other applications or assets deployed via LayerZero's protocols. The incident highlights the importance of following best practices and warnings, especially for high-value assets management or cross-chain operations.