Dragonfly Managing Partner Qureshi: LayerZero Faces Complex RPC Attack from North Korea
Haseeb Qureshi, managing partner at Dragonfly, analyzed that LayerZero's official statement indicated the incident stemmed from Kelp DAO operating a single DVN configuration, which was clearly warned against in its documentation. However, LayerZero itself operates that DVN node. The attack was attributed to North Korean hackers who infiltrated LayerZero's machines to obtain the RPC list, then compromised two RPC servers to install a forged op-geth version.
The attack path was highly complex: hackers first DDoS'd the main RPC, forcing a switch to an RPC they controlled, which reported malicious transactions to LayerZero while returning normal responses to the monitoring system. Afterward, the malicious binary self-destructed and cleared logs, and LayerZero did not disclose the initial intrusion path.
LayerZero's official statement emphasized that the protocol was operating normally and the attack was limited to a single application without systemic infection. However, this statement has been criticized as avoiding operational responsibility; the English security community and several protocols have pointed out that the RPC layer, as a weak point in blockchain infrastructure, has repeatedly become a target for advanced persistent threats.
Source: Public Information
ABAB AI Insight
This attack core exposes the "layered risk of blockchain infrastructure": correct logic at the protocol layer does not equate to system security. RPC servers, as middleware, should be pure relays, but they can be tampered with to directly manipulate upper-level decisions, meaning that even if the core protocol has no vulnerabilities, the trust boundary of the entire stack still relies on unaudited external nodes.
The tactics of North Korean hackers (RPC hijacking + multi-response disguise + self-destruction cleanup) mark an upgrade of attacks from "simple private key theft" to "infrastructure persistent infiltration." This is not a random event but a systematic engineering targeting high-value DeFi objectives, combining DDoS with failover mechanisms, fully exploiting the weaknesses of multi-vendor dependencies. Similar attacks have been classified as "supply chain attacks" in English security analyses, and their complexity requires protocol design to shift from "single point of failure" to "multi-path verification."
LayerZero's manner of statement reflects the project's dilemma in "defining responsibility boundaries." The protocol is faultless, but operations are compromised, which is a common gray area in the current multi-chain ecosystem: protocol parties emphasize code, operators stress configuration, while users bear the ultimate losses. This will accelerate the industry's migration towards an "end-to-end verifiable" architecture, but in the short term, it will only amplify the risks associated with centralized nodes.
From an industrial structure perspective, such events will reshape "trust pricing." The higher the TVL of a protocol, the more it needs to pay a premium for infrastructure security, including self-built RPCs, multi-signature verification, and formal audits. As the cost of attacks rises, the cost of defense will also expand, further differentiating project capabilities: leading protocols can bear it, while lagging ones will accelerate their exit.