惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
L
LINUX DO - 最新话题
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Forbes - Security
Forbes - Security
博客园 - 司徒正美
Hugging Face - Blog
Hugging Face - Blog
W
WeLiveSecurity
Jina AI
Jina AI
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
N
News and Events Feed by Topic
V
V2EX
Stack Overflow Blog
Stack Overflow Blog
Engineering at Meta
Engineering at Meta
PCI Perspectives
PCI Perspectives
Martin Fowler
Martin Fowler
T
The Exploit Database - CXSecurity.com
F
Full Disclosure
WordPress大学
WordPress大学
S
Security Affairs
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
S
SegmentFault 最新的问题
P
Privacy International News Feed
IT之家
IT之家
M
MIT News - Artificial intelligence
G
GRAHAM CLULEY
Hacker News: Ask HN
Hacker News: Ask HN
D
DataBreaches.Net
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Google Online Security Blog
Google Online Security Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
C
Check Point Blog
美团技术团队
Security Latest
Security Latest
Cyberwarzone
Cyberwarzone
N
News and Events Feed by Topic
MyScale Blog
MyScale Blog
H
Help Net Security
宝玉的分享
宝玉的分享
The Hacker News
The Hacker News
The Last Watchdog
The Last Watchdog
The Cloudflare Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
爱范儿
爱范儿
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
I
Intezer
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
AI
AI
I
InfoQ
N
News | PayPal Newsroom
TaoSecurity Blog
TaoSecurity Blog

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
The Kelp DAO Hack Wasn't a Smart Contract Exploit. It Was an RPC Infrastructure Attack.
GetBlock · 2026-04-29 · via DEV Community

The Kelp DAO Hack Wasn't a Smart Contract Exploit. It Was an RPC Infrastructure Attack.

On April 18th, $292 million was drained from Kelp DAO's bridge in 46 minutes. Every post-mortem you've read focused on the 1-of-1 DVN configuration on LayerZero. That's the right conversation — but it's not where the attack actually executed.

The smart contract worked exactly as written. No reentrancy. No key compromise. The code wasn't the vulnerability. The infrastructure feeding data to the code was.

What Actually Happened at the Infrastructure Layer

Here's the attack sequence:

  1. Lazarus Group (TraderTraitor unit) identified that Kelp DAO's bridge used a single LayerZero DVN verifier
  2. They compromised two RPC nodes that the DVN used for transaction verification
  3. They launched a DDoS against the remaining clean nodes — forcing the system to rely exclusively on the compromised ones
  4. The single verifier received corrupted state data and confirmed a fraudulent cross-chain transaction as legitimate
  5. 116,500 rsETH (~$292M) was released from escrow to the attacker's address
  6. The malicious binary self-destructed, wiping logs and traces
  7. Kelp paused contracts 46 minutes later — blocking two additional attempts worth ~$100M

The result: Aave froze rsETH markets with $230M in potential bad debt at risk. rsETH, deployed across 20+ chains, was suddenly undercollateralized everywhere simultaneously.

Why This Is a Different Threat Model

Most security audits cover:

  • Reentrancy attacks
  • Flash loan manipulation
  • Oracle price manipulation
  • Access control vulnerabilities

Very few cover what happens when the RPC layer is compromised or degraded under load.

This is the gap the Kelp exploit exposed. Your smart contract can be perfectly written and still execute malicious transactions — if the data it's acting on comes from a compromised source.

The LayerZero vs Kelp Blame War

Both parties made public statements. Both are partially correct.

LayerZero's position: Kelp used a 1-of-1 DVN configuration against explicit warnings going back to July 2024. Their protocol wasn't broken — Kelp's configuration was.

Kelp's position: 1-of-1 DVN is the default configuration in LayerZero's quickstart guide. Approximately 40% of protocols on LayerZero use the same setup. The RPC nodes that were compromised were LayerZero's own infrastructure, not Kelp's.

Both statements can be true simultaneously. And that's exactly what makes this dangerous: a default configuration, trusted by most, with a single point of failure at the infrastructure layer.

The Arbitrum Governance Precedent

Four days after the exploit, Arbitrum Security Council executed an emergency vote: 9 of 12 multisig signers froze 30,766 ETH (~$71M) at the attacker's address.

This is important for two reasons.

First, it's a win for victims — roughly 25% of stolen funds are now locked and potentially recoverable.

Second, it's a proof point that "permissionless" is not an absolute state. A group of 12 people, through a governance mechanism, can freeze funds on a "decentralized" network. When you're designing systems, this is a centralized choke point that exists whether you acknowledge it or not.

Four Infrastructure-Level Lessons

1. Never use 1-of-1 verification on a bridge

// Dangerous - single point of failure
DVN config: {
  requiredDVNs: ["single-dvn-address"],
  optionalDVNs: [],
  optionalDVNThreshold: 0
}

// Correct - multiple independent verifiers required
DVN config: {
  requiredDVNs: ["dvn-address-1", "dvn-address-2"],
  optionalDVNs: ["dvn-address-3"],
  optionalDVNThreshold: 1
}

Enter fullscreen mode Exit fullscreen mode

One verifier = one attack vector. Multi-DVN with independent providers is the minimum viable security posture for any bridge holding meaningful value.

2. Your RPC nodes are part of your threat model

The question isn't just "is my endpoint up?" — it's "is my endpoint returning accurate state?"

These are different questions with different answers. A compromised node can be fully available while returning fabricated data. Standard uptime monitoring won't catch this.

For cross-chain verification specifically:

  • Use multiple independent RPC sources from different providers
  • Implement response consistency checks across sources
  • Treat RPC endpoint selection as a security decision, not just an infrastructure decision

3. Default configurations can be dangerous

If you're copying a protocol's quickstart guide, check whether it's optimized for simplicity rather than security. These are different optimization targets.

Before deploying any bridge configuration to production:

  • Read the security documentation, not just the getting-started guide
  • Check what the recommended production configuration looks like vs the default
  • Understand what each parameter controls and what failure mode it protects against

4. Shared public nodes amplify attack surface

The Kelp exploit targeted specific RPC nodes. But the broader risk applies to any application using shared public endpoints for security-critical operations.

Shared nodes aggregate traffic from thousands of applications. A DDoS targeting one application on a shared endpoint degrades service for all of them. For most dApps, this means slower response times. For a bridge DVN, it can mean routing verification traffic to compromised fallback nodes.

What to Audit in Your Stack Today

If you're running a bridge or cross-chain application:

Checklist:
□ How many independent DVN verifiers are required for message validation?
□ Are those verifiers using independent RPC sources?
□ What happens to your verification logic if one RPC source goes down?
□ What happens if one RPC source returns stale or incorrect data?
□ Are any verification-critical RPC calls going through shared public endpoints?
□ Does your governance design have emergency intervention mechanisms?
   If yes — are you treating those as features or risks?

Enter fullscreen mode Exit fullscreen mode

The Kelp post-mortem will focus on DVN configuration. That's correct. But the RPC layer is where this attack was actually executed — and most teams still aren't modeling that threat.


GetBlock provides dedicated and shared RPC nodes across 130+ blockchains including Ethereum, Arbitrum, and TON. If the Kelp story made you think about your own RPC setup — explore our infrastructure.