SlowMist’s Yu Xian dissects the KelpDAO hack: Targeted poisoning of RPC infrastructure; LayerZero’s DVN issued validation for forged transactions

According to an analysis by SlowMist founder Yu Xian (@evilcos), the core of the recent KelpDAO hack—resulting in approximately $290 million stolen—was a targeted poisoning attack against the downstream RPC infrastructure of LayerZero’s DVN (Decentralized Validator Network). The specific attack steps were as follows: First, the attackers obtained the list of RPC nodes used by LayerZero’s DVN; second, they compromised two independent RPC clusters and replaced their op-geth binary files; third, using selective spoofing techniques, they returned forged malicious payloads exclusively to the DVN while serving legitimate data to all other IPs; fourth, they launched DDoS attacks against uncompromised RPC nodes, forcing the DVN to fail over to the poisoned nodes; finally, after the forged messages were validated, the malicious binary self-destructed and erased its logs. As a result, LayerZero’s DVN signed validations for transactions that “never occurred.”