State-backed hackers have emerged as the prime suspects in the largest cryptocurrency heist of 2023, targeting KelpDAO, a decentralized finance (DeFi) protocol, over the weekend. KelpDAO specializes in the handling of Liquid Staking Tokens (LSTs) such as stETH, ETHx, and sfrxETH, facilitating users by converting these tokens into a liquid token known as rsETH.
On Saturday, KelpDAO reported noticing “suspicious cross-chain activity involving rsETH,” which prompted an immediate halt in all protocol operations. This rapid response came after it was revealed that cybercriminals had pilfered a staggering 116,500 rsETH, with a market value of approximately $293 million, and subsequently funneled the stolen funds through Tornado Cash, a privacy tool, in an attempt to obfuscate their tracks from investigators.
In the aftermath of the incident, KelpDAO has pointed fingers at the LayerZero infrastructure that underpins its operations. However, LayerZero has countered that the security breach stems from KelpDAO’s own configuration, not their technology.
LayerZero utilizes a system known as Decentralized Verifier Networks (DVNs), which comprise independent entities that verify the integrity of cross-chain messages. The situation took a dramatic turn in April when North Korea’s notorious Lazarus Group targeted one of LayerZero’s DVNs, compromising its infrastructure by manipulating the downstream RPC (Remote Procedure Call) nodes. LayerZero articulated this intrusion, noting that the attacker accessed the list of RPCs utilized by its DVN, compromising two independent nodes that operated on separate clusters.
LayerZero captured the details of the attack, explaining how the assailants executed a sophisticated RPC-spoofing maneuver, which enabled them to carry out a Distributed Denial of Service (DDoS) attack against unaffected RPCs. This assault forced a failover to the compromised nodes, which allowed them to send a fraudulent cross-chain message that was mistakenly accepted as valid, leading to the unauthorized transfer of rsETH.
### LayerZero Defends Its Position
In response to the incident, LayerZero has been vocal in asserting that KelpDAO is partly to blame for relying on a single-point-of-failure configuration. They stated that their best practice advice, which emphasizes the need for multi-DVN diversification, was overlooked. “Operating a single-point-of-failure configuration meant there was no independent verifier to catch and reject a forged message. LayerZero and other external parties had previously communicated best practices around DVN diversification to KelpDAO,” LayerZero elaborated.
Despite these warnings, KelpDAO opted to utilize a 1/1 DVN configuration. LayerZero stressed that a properly hardened setup would have required consensus among multiple independent DVNs, which could have rendered the attack ineffective had even one DVN been compromised.
Despite the staggering loss, there is a glimmer of hope. Roughly 25% of the stolen funds, equating to around 30,766 ETH (valued at $71 million), has been frozen by Arbitrum’s Security Council, providing a temporary respite for KelpDAO amidst the chaos.
### An Evolving Landscape of Cyber Threats
This incident underlines an alarming trend: the Lazarus Group appears to be refining its operational capabilities, evolving from simple acts of theft to sophisticated, multi-faceted cyberattacks. Security experts emphasize that these actors are no longer “smash and grab” criminals but rather disciplined adversaries who adeptly navigate weak points within infrastructure and trust relationships.
According to Pete Luban, Chief Information Security Officer at AttackIQ, the current crypto environment is facing adversaries who not only leave richer but also enhance their operational resources and techniques. “Groups like Lazarus are not just walking away with loot; they are accumulating better tools that can be refined for future engagements,” he pointed out.
Nick Tausek, a lead security automation architect at Swimlane, corroborated these sentiments by highlighting that the attack follows a recognizable North Korean methodology that involves patient intrusion, trust manipulation, and suppression of detection mechanisms. He noted that by compromising crucial infrastructure linked to LayerZero’s verifier roles, they gained an unwarranted advantage in the transaction process, manipulating trust to propagate forged messages downstream.
The ramifications of breaches in such decentralized systems are vast, as the impact rarely confines itself to the immediate victims. This incident serves as a sobering reminder of the vulnerabilities that persist within the crypto sphere, underscoring the necessity for heightened security measures and adherence to best practices in the burgeoning world of decentralized finance.