Attackers allegedly poisoned RPC nodes and exploited Kelp DAO’s single-verifier 1/1 DVN bridge setup to approve a fraudulent cross-chain message. Separately, Ethereum Name Service gateway eth.limo said its recent domain hijacking was caused by a social engineering attack against provider easyDNS, where an attacker impersonated a team member to gain account access and alter DNS settings. Lazarus Group Strokes Again… LayerZero released its preliminary findings on the recent Kelp DAO exploit. It attributed the attack to what it describes as a highly sophisticated state-backed threat actor, likely North Korea’s Lazarus Group, specifically the subgroup known as TraderTraitor. The incident took place on April 18, when Kelp DAO’s LayerZero-powered cross-chain bridge was compromised. This resulted in the loss of 116,500 rsETH tokens worth approximately $292 million. So far, this was the largest decentralized finance exploit this year. X post from LayerZero According to LayerZero, the attackers gained access to the list of RPC nodes used by LayerZero Labs’ decentralized verifier network (DVN), a system of independent entities responsible for validating cross-chain messages. Two of those nodes were allegedly poisoned, which allowed them to transmit a fraudulent message to the DVN. At the same time, the attackers launched a distributed denial-of-service attack against uncompromised nodes, increasing the likelihood that the network would rely on the malicious nodes. The forged message was ultimately accepted because Kelp DAO configured its bridge to use a single 1-of-1 DVN setup This means that there was no secondary verifier in place to detect or reject the fraudulent transaction. LayerZero said this lack of redundancy created a single point of failure. Interestingly, LayerZero previously advised Kelp DAO to diversify its DVN configuration. Despite those recommendations, Kelp DAO chose to continue operating with the 1/1 model. LayerZero explained that the exploit is isolated to Kelp DAO and has not affected other assets or applications using its infrastructure. It said the LayerZero Labs DVN remains fully operational and that projects using multi-DVN security setups can continue operations with confidence. In response to the incident, LayerZero announced that it will no longer sign messages for applications using a 1/1 DVN configuration. The company also said it is cooperating with multiple law enforcement agencies and actively tracking the stolen funds. eth.limo Hijack Caused by Social Engineering Meanwhile, Ethereum Name Service gateway eth.limo disclosed that the domain hijacking incident on Friday was caused by a social engineering attack targeting its domain service provider, easyDNS. In a postmortem that was published on Saturday, eth.limo explained that an attacker impersonated one of its team members and initiated an account recovery process with easyDNS. That fraudulent recovery request reportedly gave the attacker access to the eth.limo account, which allowed them to modify key domain settings. The attacker then changed the name server records and redirected them to Cloudflare-controlled infrastructure. Once the issue was identified as a DNS hijack, eth.limo said it immediately alerted the community and reached out to Ethereum co-founder Vitalik Buterin. The company also contacted easyDNS to begin coordinating a response. During the incident, Buterin warned users to avoid visiting his personal blog through the affected gateway until the matter was resolved. Eth.limo provides access to roughly two million decentralized websites using the .eth domain name system, which makes it a very important access point for users browsing Ethereum-based sites through standard web browsers. If successfully weaponized, control of the service could have allowed attackers to redirect visitors to phishing pages or malware-laced websites. However, both eth.limo and easyDNS said the Domain Name System Security Extension (DNSSEC) limited the damage. DNSSEC adds cryptographic verification to DNS records, and because the attacker did not possess the required signing keys, they were unable to create valid signatures for forged DNS responses. As a result, many DNS resolvers rejected the manipulated records, causing users to see errors rather than malicious redirects. Eth.limo said the missing signing keys likely reduced the overall impact of the attack and added that it is not currently aware of any user harm. The company said updates would be provided if that assessment changes. EasyDNS CEO Mark Jeftovic publicly accepted responsibility for the incident by stating that the company made mistakes and would own them. He described the breach as the first successful social engineering attack against an easyDNS client in the company’s 28-year history, despite many prior attempts. Following the incident, easyDNS said it already began implementing security changes to prevent similar attacks in the future.
