On April 10, 2025, as Bitcoin trades at $79,626 and Ethereum sits at $1,522, the crypto security community receives a sobering reminder: the most devastating attacks do not always exploit smart contract logic. LayerZero’s official announcement attributing the $290 million Kelp DAO rsETH exploit to North Korea’s Lazarus Group reveals that the attackers compromised two RPC nodes — the basic infrastructure layer that most developers take for granted. This attack vector demands a fundamental reassessment of how the industry approaches security.
The Threat Landscape
RPC (Remote Procedure Call) nodes serve as the gateway between applications and blockchain networks. Every transaction, every query, every state change passes through an RPC endpoint. When an attacker controls the RPC layer, they can manipulate the data that applications receive — returning false balances, fabricating transaction confirmations, or routing transactions through compromised pathways.
The Kelp DAO exploit demonstrates this with brutal efficiency. By compromising two specific RPC nodes in the bridging infrastructure, Lazarus Group operatives were able to manipulate verification data for the rsETH bridge. The cross-chain messaging protocol believed it was processing legitimate transactions when, in fact, the underlying data had been tampered with at the infrastructure level.
This attack pattern is particularly insidious because it bypasses all smart contract auditing. A perfectly audited contract executing on falsified input data produces compromised results. The code did exactly what it was supposed to — the problem was that the data it received was a lie.
Core Principles
Securing against RPC-level attacks requires a fundamentally different approach than traditional smart contract security. The first principle is redundancy: critical infrastructure must query multiple independent RPC providers and compare responses. If a single provider returns data that diverges from consensus, the system should flag it immediately.
The second principle is verification at multiple layers. Cross-chain bridges — the most lucrative targets for state-sponsored attackers — must verify not just that a message was received, but that the source chain’s state actually changed as claimed. Zero-knowledge proofs and light client verification offer promising paths toward this goal.
The third principle is operational security hygiene. RPC node operators must treat their infrastructure with the same rigor as custodial wallet security — hardware security modules, access logging, regular key rotation, and isolation of critical nodes from internet-facing services.
Tooling and Setup
For projects serious about RPC security, several tools and practices are essential. Running self-hosted RPC nodes with dedicated infrastructure eliminates reliance on third-party providers. Services like Alchemy, Infura, and QuickNode offer premium tiers with enhanced security monitoring, but self-hosting remains the gold standard for high-value operations.
Cross-chain protocols should implement multi-prover architectures where multiple independent verification systems must agree before processing a transaction. Chainlink’s CCIP framework and similar solutions provide this type of layered verification. The era of trusting a single verification path for nine-figure bridges must end.
Monitoring tools like Tenderly and Forta can detect anomalous RPC behavior in real time. Setting up alerts for unexpected response patterns, latency spikes, or data inconsistencies provides an early warning system that can prevent catastrophic losses.
Ongoing Vigilance
State-sponsored threat groups like Lazarus are not opportunistic attackers — they are well-resourced, patient, and systematic. They study infrastructure for months before striking, identifying the weakest links in the chain. The crypto industry must match this level of sophistication in its defensive posture.
Regular penetration testing of RPC infrastructure, red team exercises that specifically target the infrastructure layer, and bug bounty programs that include node security are all necessary investments. The cost of these measures pales in comparison to a nine-figure exploit.
Final Takeaway
The Kelp DAO exploit is not an anomaly — it is a preview. As cross-chain infrastructure grows more complex and TVL increases, state-sponsored actors will continue targeting the weakest links. Smart contract audits are necessary but insufficient. The industry must expand its security mindset to encompass the full stack, from user interface to RPC node to consensus layer. In a market where total crypto market capitalization exceeds $2.7 trillion, the stakes are too high for anything less than comprehensive infrastructure security.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Organizations should consult with qualified security professionals for comprehensive threat assessments.
Formal verification should be mandatory for high-value protocols
Bridge security is still the weakest link in the ecosystem
Katya Ivanova bridges are the weakest link because they require trusting the bridge operator. that defeats the whole point
Bug bounties are the most cost-effective security investment
Isabella Conti bug bounties are cheap insurance. a $500K payout beats a $200M exploit every time
Multi-sig wallets should be the default for everyone in crypto
Real-time monitoring tools are getting better at catching exploits early