LayerZero Admits Comms Failure as Lazarus Attack Detail Stays Unanswered

LayerZero Labs issued a public apology on May 9 for three weeks of silence following a Lazarus Group attack that drained roughly $290 million from KelpDAO’s rsETH bridge. The statement came on X from the official LayerZero_Core account, and it led with something rare in DeFi post-mortems — an admission that the team handled communications badly.

“We’ve done a terrible job on comms over the past three weeks,” LayerZero_Core wrote on X. “We wanted to prioritize completeness in the form of a comprehensive post-mortem, but we should have led with directness.”

The apology came alongside a detailed breakdown of what went wrong and what the protocol is changing. But one gap remained. The statement still does not say how North Korea’s Lazarus Group got root access to LayerZero’s RPC nodes in the first place.

What the Attack Actually Did

The breach, which occurred on April 18, targeted the RPC nodes feeding data to LayerZero Labs’ Decentralized Verifier Network. Lazarus operatives replaced the software running on at least two nodes with malicious binaries. Those binaries showed the DVN a forged transaction record while feeding honest data to every other monitoring system.

When the attack began, the group launched a DDoS assault on the remaining legitimate RPC nodes. The DVN failed over to the only nodes still answering — the compromised ones. Those nodes told the system a fake cross-chain transaction had occurred. The DVN signed off on it.

The damage was contained to KelpDAO’s rsETH application, which ran a 1-of-1 DVN setup — a single verifier with no backup. According to LayerZero_Core on X, this configuration affected just 0.14% of total applications and roughly 0.36% of total asset value on the protocol. More than $9 billion has moved across LayerZero since April 19 without incident.

What LayerZero Is Changing

LayerZero Labs said its DVN no longer services 1-of-1 configurations. All default pathways are being migrated to 5/5 where possible, with a floor of 3/3 on any chain where fewer DVN options are available.

The team is also building a second DVN client written in Rust to add client diversity. A new RPC quorum configuration lets DVNs now choose from a more granular mix of internal, dedicated-external, and shared-external nodes rather than relying on a single tier.

The bigger structural change is OneSig. LayerZero Labs built the custom multisig in response to the attack. According to the LayerZero_Core post on X, OneSig lets each signer download transactions locally, then hash and sign the root on their own machine. The backend cannot slip in unauthorized transactions because the hashing happens on the signer’s side. The team is also moving its own multisig threshold from 3/5 to 7/10 across all chains where OneSig exists.

Each OneSig signer has also built a private security checker to flag anomalies on their signing machine. Those criteria are kept private and not shared with the company or other signers.

The Multisig Problem That Predated the Hack

Separate from the Lazarus attack, LayerZero confirmed a different security failure in the same statement. Three and a half years ago, one signer on the company’s multisig used their multisig hardware wallet to execute a personal trade — when they intended to use their personal device.

“This is obviously not ok,” LayerZero_Core said on X. That signer was removed. Wallets were rotated. The team added anomaly detection software to signing devices and built OneSig as a longer-term fix.

The disclosure lands in a charged environment. As we covered previously at CryptoNewsLive, onchain evidence had already surfaced showing LayerZero multisig signers used production keys to trade a memecoin called McPepes on Uniswap. LayerZero Labs CEO Bryan Pellegrino said those transactions came from former multisig members who had already been removed, and that the activity was OFT testing, not personal trading. Critics pointed out that McPepes is a separate token from the PEPE OFT being tested.

The Question the Post-Mortem Still Skips

The technical account LayerZero has provided explains what the malicious binaries did once they were on the RPC nodes. It does not explain how Lazarus got root access to those nodes in the first place.

Security researchers flagged this gap immediately after the April 19 post-mortem. The entry vector, whether through a breached deployment pipeline, a prior unannounced compromise, or something else, has not been addressed in any official statement so far. That is still the case with the May 9 update.

KelpDAO has since moved rsETH off LayerZero’s OFT standard to Chainlink’s Cross-Chain Token standard. The project cited infrastructure security concerns and said Chainlink’s oracle network gives it stronger guarantees going forward.

For developers still building on LayerZero, the team issued four direct recommendations in the May 9 statement: pin all configurations so nothing relies on LayerZero Labs defaults, set block confirmations high enough to make chain reorganization nearly impossible, configure DVNs with at least two parties and ideally three to five, and consider running a required DVN of your own.

“No other application has been affected,” LayerZero_Core confirmed on X, “and more than $9B has been moved across LayerZero since April 19th.”

The Console platform, which LayerZero Labs said it has been building for several months, will bring configuration management and anomaly detection into a single interface for asset issuers. It includes OneSig integration and automated alerts for unsafe configurations, unknown DVNs, and changes in ownership or block confirmations.