LayerZero executor wallets exploited for $2.4M across multiple chains
An attacker drained executor wallets across several networks and converted the proceeds to ETH and USDC
Executor wallets in LayerZero’s architecture are the components responsible for actually delivering messages between chains. They pick up a package on one chain and drop it off on another.
In April 2026, KelpDAO suffered a major breach linked to LayerZero infrastructure, in which approximately 116,500 rsETH, worth around $292 million at the time, was drained after attackers forged a cross-chain message by compromising a single-signer DVN role.
That attack was attributed to North Korea’s Lazarus Group. The KelpDAO breach also revealed a systemic configuration problem: nearly half of all LayerZero applications were still operating with what security researchers called a “1-of-1” DVN setup. That means one compromised verifier is all it takes to forge a valid message.
The KelpDAO incident triggered calls across the ecosystem for applications built on LayerZero to migrate toward multi-signer DVN configurations, which require more than one independent verifier to approve a message before it can be executed.
LayerZero’s architectural approach emphasizes configurability over a single canonical security model, giving applications control over their own risk parameters. The tradeoff is that misconfigured or under-secured applications become the weakest links.