LayerZero apologizes after RPC breach led to $300M KelpDAO hack

On April 19, 2026, the Lazarus Group corrupted internal RPC nodes used by LayerZero’s DVN network and launched a distributed denial-of-service attack against an external RPC provider. Corrupted RPC data was used in a $300 million rsETH exploit that drained funds from KelpDAO.

LayerZero published an open apology on May 8, 2026, acknowledging operational and communication failures. The company maintained its cross-chain messaging protocol was not compromised and identified the intrusion as a breach of internal infrastructure.

The company reported attackers corrupted the “source of truth” for its internal RPC nodes. It added the incident affected only a single application, representing about 0.14% of LayerZero apps and roughly 0.36% of the platform’s bridged asset value.

After the attack, LayerZero patched internal services, notified partners, and began coordinating recovery efforts with affected projects. The firm committed 5,000 ETH to a DeFi United rescue plan and 5,000 ETH to support liquidity in Aave pools.

LayerZero disclosed a separate past incident involving multisig key handling. Three and a half years earlier, a signer used a hardware wallet meant for multisig transactions to make a personal trade in a memecoin called McPepes on Uniswap. The signer was replaced, wallets were swapped, and additional controls were added.

Less than 24 hours before the apology, co-founder Bryan Pellegrino described the earlier transaction as “OFT testing.” LayerZero confirmed the new disclosure corrects that account.

The company outlined changes to governance and defaults. Single-signer (1/1) DVN configurations will no longer be supported and pathway defaults have been upgraded to 5/5 or 3/3 where possible. LayerZero also plans to raise its own multisig threshold to 7-of-10 using OneSig.

LayerZero plans a DVN client in Rust and urged developers to pin configuration values, increase block confirmations to reduce reorganization risk, provision DVNs with at least two independent parties and preferably three to five, and consider operating their own DVN.

The firm described its multisig architecture as limited to Endpoint functions such as chain additions and default test updates. It explained that default applications and DVNs relying on a single verifier depended on trust placed in the company multisig, while gas relayers and executors affect only liveness.

Several projects reacted by changing or reviewing integrations. KelpDAO and Solv Protocol migrated their integrations to Chainlink. Beefy, Ethena, BitGo and Lombard announced they are reviewing their connections to LayerZero.

Market participants raised concerns about potential drops in bridged transaction volumes, reduced earnings for Stargate and impacts on the company’s ZRO token buyback mechanics.

Critics pointed to the company’s early messaging, which some observers viewed as shifting blame to partners. LayerZero wrote the apology and technical changes are intended to clarify responsibilities between the messaging layer and application-level security.

The company added developers and organizations will likely announce decisions in the coming weeks as they determine whether to remain on or leave the platform.