When the Software Holds but the Money Leaves Anyway
On April 18, 2026, the KelpDAO rsETH bridge built on the LayerZero protocol lost 116,500 rsETH, about $292M, through a single forged cross-chain message. Mandiant and CrowdStrike attributed the attack to DPRK actor UNC4899, the same group behind the 2025 Bybit heist. The LayerZero Labs post-mortem, published May 18, provides commendable transparency into what happened, explaining that the signing keys were not compromised and that the DVN contract instead verified the validity of the signatures from its registered signers. The receive library's threshold check passed, and the audited components performed as specified. The compromise lived in the operational layer, where the audits were never asked to cover. In short, the internal RPC nodes patched in memory after a social engineering attack on a developer, the external RPC providers were forced offline by a denial-of-service attack, and a signing service left reading source-chain state through tampered data.
The point worth dwelling on is that the system did what it was designed to do, and that the LayerZero team took its security measures and options seriously when designing and validating their protocol, including using formal methods for ensuring that their on-chain code was secure. The contracts behaved correctly, the cryptography held, and the protocol enforced the policy the application had chosen. The attack succeeded because the security stack on that channel had been configured as 1-of-1, with one required DVN and no second attestor, and because the off-chain infrastructure that the single DVN relied on was compromised through means unrelated to the smart contracts. The audits that covered the contracts had no way of seeing the RPC layer. The DVN's operational assumption that the RPC providers it queried would return honest data was never documented in a form that could be checked.
This is where the conversation about smart-contract assurance has been quietly shifting for a while, and the KelpDAO incident is the clearest recent illustration. In a mature on-chain assurance landscape, contract audits are now routine, and formal verification of contract code is well established at scale, with several specialist firms handling it across DeFi, staking, bridges, and governance. The LayerZero engagement with Certora is one example among many. What this maturation has produced is an on-chain layer that increasingly behaves like the well-defended part of the perimeter, while the off-chain operational layer that surrounds it has not received comparable attention. Oracles, signing services, relay infrastructure, hosted governance frontends, and RPC dependencies all sit in that less-scrutinized perimeter.
The asymmetry in this scenario has a structural cause. Smart contracts run in a deterministic environment with a small surface that can be modeled precisely. Meanwhile, off-chain services run on cloud infrastructure, depend on RPC providers, communicate over networks the protocol does not control, and rely on operational assumptions that often live in design documents or in the heads of the engineers who built them. A signing service that assumes its RPC layer is honest, a relay service that assumes its monitoring will detect tampering, a configuration delegate that assumes a multisig protects it from compromise, all of these are real properties on which the security of the whole system depends, and they are rarely written down in a form that any tool can check.
Closing the asymmetry requires extending the same kind of rigor that on-chain components already receive to the off-chain components that sit alongside them. Some of that work is conventional. Operational hardening, just-in-time access, multi-source RPC quorums, and runtime monitoring of source-chain reads against independent observers are all in the LayerZero remediation plan, and all of them raise the cost of the off-chain attack vector the KelpDAO incident exploited. Some of it is closer to formal-methods territory, specifying the properties a signing service must preserve under hostile RPC conditions, specifying the minimum configurations a DVN will participate in, specifying what an application's delegate can and cannot change without explicit on-chain action. Each of these is a property that can be written down, checked against the code that enforces it, and monitored in production. The argument is that off-chain components benefit from the same discipline of explicit specification, mechanical checking, and runtime observation that on-chain components have come to expect.
The KelpDAO incident is a reminder that the boundaries between layers are where the most expensive attack surfaces tend to live, because each layer trusts the one next to it to be honest. Cross-chain systems are one place this shows up. Aerospace systems running on top of ground infrastructure are another, so are medical devices that depend on hosted clinician portals, industrial control logic sitting on a SCADA layer, and cloud runtimes inside container orchestration. The common shape is a verified core wrapped in operational infrastructure that nobody specified formally, and this is something that, regardless of being web2 or web3, must be assured to have solid platforms and systems. Making the trust relationships at those boundaries explicit and checkable is the work that remains.
