A single misconfigured off-chain setting — not a software flaw, not a code vulnerability — enabled the theft of $290 million from KelpDAO, bypassing every smart contract security control the protocol had in place. For any organization operating or investing in DeFi infrastructure that uses cross-chain bridging, this establishes that infrastructure-layer configuration is now a primary financial risk surface, not a secondary concern. The coordinated nature of this campaign, with a concurrent $280 million theft from Drift Protocol attributed to the same group, signals that Lazarus Group is executing systematic, multi-target operations against decentralized finance — organizations in this sector should treat their cross-chain infrastructure configuration as a board-level financial risk item.
You Are Affected If
Your protocol or platform integrates LayerZero for cross-chain message passing or bridge functionality
Your LayerZero DVN configuration is set to a 1-of-1 single verifier threshold rather than a multi-DVN consensus model
Your protocol interacts with KelpDAO's rsETH token or bridges that rely on the affected LayerZero DVN infrastructure
Your RPC nodes for LayerZero DVN endpoints have not been audited for unauthorized substitution or credential compromise since April 18, 2026
Your smart contract audit scope did not include review of off-chain DVN configuration and RPC node trust assumptions
Board Talking Points
North Korean state-sponsored hackers stole $290 million from a DeFi protocol by exploiting a single misconfigured off-chain setting — not a software bug — bypassing all standard smart contract security controls.
Any protocol we operate or invest in that uses LayerZero cross-chain infrastructure should undergo an emergency DVN configuration audit within 72 hours, with findings reported to the risk committee.
If no action is taken, our cross-chain infrastructure may share the same single-verifier vulnerability that enabled this theft, leaving us exposed to the same attack pattern from a threat group that executed two similar operations totaling over $570 million in the same campaign window.
