The process of the KelpDAO attack analyzed by Slow Fog

According to SlowMist founder Yu Xian (@evilcos), the core of the KelpDAO theft incident, which involved approximately $290 million, was a targeted poisoning attack on the downstream RPC infrastructure of LayerZero DVN (Decentralized Validator Network).

The specific attack steps were: first, obtaining the list of RPC nodes used by LayerZero DVN, then breaching two independent clusters and replacing the op-geth binary file; using selective deception techniques to return forged malicious payloads only to DVN while returning real data to other IPs; simultaneously launching DDoS attacks on the unbreached RPC nodes, forcing DVN to failover to the poisoned nodes, completing the forged message verification, and then the malicious binary self-destructing and clearing logs. This ultimately led to LayerZero DVN issuing validations for "transactions that never occurred."