DeFi Developer Banteg: LayerZero Attack Not Due to RPC Poisoning

On April 20, LayerZero released a report on KelpDAO stating that the attack on KelpDAO was executed through RPC poisoning of LayerZero DVN by hackers. Yearn Finance anonymous developer Banteg expressed skepticism, stating that the LayerZero attack was not a result of RPC poisoning. Network poisoning refers to attackers altering shared lookups (DNS, ARP, cache) outside of the trust boundary, where the recipient has no reason to suspect the source. However, this attack was different. The attackers penetrated the internal trust boundary of LayerZero, accessed the RPC list, compromised two nodes relied upon by DVN, and replaced the op-geth binary file. This constitutes an infrastructure breach within the boundary, targeting the supply chain rather than the network layer. Moreover, the deployment of the malicious payload was highly precise. The malicious binary disguised itself as an IP address, sending forged payloads only to DVN, while displaying real information to scanners and all other callers, and then self-destructing to erase logs and binary files. RPC poisoning can easily mislead one to believe this was an external attack on the infrastructure. In reality, the attackers implanted a targeted malicious program within the trust boundary, which is far more alarming than its name suggests.