TechFlow News, April 20: According to an analysis by SlowMist founder Yu Xian (@evilcos), the core of the recent KelpDAO hack—resulting in approximately $290 million stolen—was a targeted poisoning attack against the downstream RPC infrastructure of LayerZero’s Decentralized Validator Network (DVN).
The specific attack steps were as follows: First, the attackers obtained the list of RPC nodes used by LayerZero’s DVN. Next, they compromised two independent RPC clusters and replaced their op-geth binary files. Using selective spoofing techniques, they returned forged malicious payloads exclusively to the DVN while serving legitimate data to all other IPs. Simultaneously, they launched DDoS attacks against uncompromised RPC nodes, forcing the DVN to fail over to the poisoned nodes. After the forged messages were validated, the malicious binary self-destructed and erased its logs. Ultimately, this caused LayerZero’s DVN to sign validations for transactions that “never occurred.”
