- LayerZero said TraderTraitor compromised a developer account before manipulating internal RPC infrastructure.
- The rsETH exploit drained 116,500 rsETH after a forged transaction passed a single-verifier setup.
- LayerZero rebuilt affected systems and added stricter credential, approval, and verifier security controls.
LayerZero released a joint post-mortem with Mandiant and CrowdStrike detailing the April 18 rsETH bridge exploit that drained 116,500 rsETH, worth about $292 million. According to the report, DPRK-linked threat actor TraderTraitor, also known as UNC4899, compromised LayerZero infrastructure after targeting a developer in March. The attack later manipulated RPC nodes and forced a verifier system failure that approved a forged crosschain transaction.
Attack Began With Developer Compromise
According to LayerZero, the breach started on March 6 after an attacker socially engineered a LayerZero Labs developer. The attacker harvested session keys before entering LayerZero’s RPC cloud environment.
From there, the attacker altered internal RPC node memory with malicious software. The modified system returned legitimate responses to monitoring tools.
However, the same nodes sent manipulated responses to LayerZero Labs’ Decentralized Verifier Networks, also known as DVNs. RPC nodes process blockchain state requests across networks.
To expand the attack, the threat actor launched a Denial of Service attack against an external RPC provider. Consequently, the LayerZero Labs signing service relied on two compromised internal nodes.
According to Mandiant, CrowdStrike, and independent researchers, the forged message later received a valid attestation. As a result, the KelpDAO rsETH bridge released the assets.
Single-Verifier Setup Enabled Exploit
LayerZero stated the affected OApp relied on a single-verifier configuration during the incident. Therefore, no second independent DVN reviewed the forged message.
The destination contract accepted the single attestation and unlocked rsETH assets. However, LayerZero said no other OApps, channels, or transactions suffered compromise.
Following the breach, LayerZero changed how its DVN system handles channel security requirements. The company said its DVN will no longer sign as the sole required attestor.
LayerZero Rebuilds Compromised Infrastructure
LayerZero also replaced the affected cloud environment instead of patching existing systems. The company rebuilt the infrastructure using hardened configurations and removed legacy credentials.
Additionally, LayerZero introduced short-lived credentials and multi-person approval requirements for administrative access changes. The company also added device and session validation checks.
According to LayerZero, CrowdStrike, Mandiant, and zeroShadow continue supporting the investigation alongside law enforcement agencies.
