An attacker exploited executor wallets in LayerZero's cross-chain messaging infrastructure across multiple networks, stealing approximately $2.4 million. The stolen funds were converted to ETH and USDC, according to security reports.
How the Attack Worked
Executor wallets are a critical component of LayerZero's architecture, responsible for delivering messages between blockchains. They pick up a message package on one chain and execute it on another. The attacker compromised these wallets on several networks, draining funds before swapping the proceeds.
This incident follows a much larger breach in April 2026, when KelpDAO lost about $292 million in rsETH after attackers forged a cross-chain message by compromising a single-signer DVN role. That attack was attributed to North Korea's Lazarus Group.
Security Concerns and Industry Response
The KelpDAO breach exposed a systemic vulnerability: nearly half of all LayerZero applications were still using a "1-of-1" DVN setup, meaning only one verifier needed to be compromised to forge a valid message. Security researchers warned that this configuration creates a single point of failure.
In response, the ecosystem has pushed for applications to migrate to multi-signer DVN configurations, which require multiple independent verifiers to approve a message before execution. LayerZero's architecture prioritizes configurability over a fixed security model, allowing applications to set their own risk parameters. However, this flexibility means that misconfigured or under-secured applications become the weakest links, as demonstrated by the latest exploit.