The offchain dependency graph is the attack surface

Gabriel Alborta

Gabriel Alborta

5 min read
The offchain dependency graph is the attack surface

On April 18, 2026, an attacker drained $292 million in rsETH from KelpDAO's LayerZero bridge in roughly 80 minutes. The contracts behaved exactly as designed throughout. OpenZeppelin's post-mortem opens with the line that should reframe the next year of cross-chain security work: zero bugs found.

The attacker did not break a contract. They broke the offchain dependency graph the contracts trusted.

This is the structural shift the rest of the industry has not absorbed yet.

What actually happened

LayerZero Labs runs a Decentralized Verifier Network — a DVN — that reads state from source chains and tells destination contracts whether a cross-chain message is real. KelpDAO had the LayerZero Labs DVN configured as the only verifier. A 1-of-1 setup. One signer, many recommendations against it, no second opinion.

The DVN reads source-chain state through a list of RPC nodes. The attacker obtained that list. Two of those RPC nodes — independent op-geth instances running on separate clusters — had their binaries swapped for malicious versions. Then the attacker DDoS'd the remaining clean RPCs. The DVN's failover logic did exactly what failover logic does: it routed to the nodes that were still reachable. Those nodes reported a phantom rsETH burn on Unichain that had never happened. The DVN signed the attestation. The Ethereum-side contract released 116,500 rsETH to an attacker-controlled address.

The contracts saw a valid signed message and acted on it. Every line of solidity in that pipeline did the right thing.

The pattern, not the case

The temptation is to read this as a story about LayerZero, or about KelpDAO's choice of a 1-of-1 DVN, or about Lazarus Group's operational sophistication. All of that is true. None of it is the lesson.

The lesson is that the offchain dependency graph beneath any cross-chain verification protocol is presently invisible from outside, and the invisibility is the attack surface.

Every cross-chain protocol with operators has the same shape:

  • A smart contract layer, audited and public.
  • A consensus or coordination protocol — DON, Guardian set, validator set, ISM — documented and public.
  • An operator dependency layer beneath both. Which RPC providers each operator uses. Which monitoring services they run. How their failover logic behaves under selective unreachability. None of this is part of the protocol specification. None of it is auditable from outside.

LayerZero's response to KelpDAO has been to say it will no longer sign messages for 1-of-1 configurations. This addresses the proximate configuration error and leaves the structural question untouched. M-of-N verification only adds security if the M independent nodes do not share upstream dependencies. If twelve of sixteen DON nodes route Ethereum reads through the same three RPC providers, M-of-N is theatre.

Apply this to the protocols allocators actually use

Chainlink CCIP runs sixteen independent professional node operators. The public claim is infrastructure diversity, multi-region cloud, redundant RPCs. The structural question is whether the dependency graph behind those sixteen operators is actually diverse, or whether it converges on two or three upstream providers nobody outside the operator set can see.

Wormhole runs nineteen Guardians with a 13-of-19 threshold. The operator list is public — RockawayX, P2P, Figment, Everstake, others. The signers are real entities with track records. What isn't public is which RPC infrastructure each Guardian uses to observe source chains, or how many Guardians integrated Google Cloud after the 2025 announcement, or how their failover responds to selective DDoS. The 13-of-19 threshold matters only if the Guardians are reading independent state.

Axelar runs seventy-five validators in a permissionless proof-of-stake set. The validator count is the most diverse of the four. The structural question shifts: Axelar validators monitor Gateway contracts on every connected chain via RPC. Seventy-five validators × N chains × upstream providers per validator is a much larger and harder-to-concentrate graph — but it is also entirely undocumented. The chance of meaningful overlap goes down with operator count; it does not go to zero.

Hyperlane is the most architecturally honest of the four. ISMs are modular: applications choose their own validator sets and thresholds. The protocol explicitly does not opine on operator dependencies. This is consistent with the failure mode: KelpDAO chose a 1-of-1 DVN inside LayerZero. Any application running a 1-of-N Multisig ISM under Hyperlane has the same shape. The honesty of the framing does not change the structural exposure

Steel-manning the protocols

The strongest version of the protocols' position is straightforward. The operator dependency graph is private because it has to be. Publishing which RPC providers each operator uses is a roadmap for the next attacker. Operational confidentiality is not security theatre; it is one of the few defensive surfaces that doesn't have to be traded away.

They are right that per-operator disclosure is a roadmap for attackers. They are wrong that confidentiality is the only path. Aggregate disclosure across the operator set — twelve of sixteen nodes use Provider A for Ethereum reads — names no individual operator. It is the diversity claim itself, expressed as a number rather than a posture. The protocols that have not published this number are not declining to disclose; they are declining to compute it.

The second-order dynamic

The reason this matters now, three weeks after KelpDAO, is that Lazarus Group does not retire playbooks that work. The TraderTraitor TTP — RPC binary substitution + selective DDoS forcing failover into compromised nodes — has been documented end-to-end by Chainalysis, OpenZeppelin, and Hypernative. The exact attack pattern is now public infrastructure for the next sophisticated actor. The window for any cross-chain protocol to publicly map and harden its dependency graph before it is independently mapped by an attacker is measured in months, not years.

The protocols that move first will be the ones that allocators trust by default. The protocols that publish nothing will be the ones whose dependency graph someone else publishes, and not in the form the protocol would have chosen.

What this brief is, and isn't


We have not asserted that any protocol named here is presently compromised. We have asserted that for each of them, three structural questions cannot be answered from outside:

  1. How concentrated are upstream RPC providers across the operator set?
  2. How does each operator's failover behave under selective DDoS that degrades clean RPCs while leaving compromised RPCs available?
  3. What real-time observability flags divergent attestations between nodes before consensus completes?

Allocators with significant value flowing through any of these protocols should be asking these questions of the protocol teams directly. Protocol teams that don't yet have answers should treat the absence as a roadmap.

The audit boundary used to be the smart contract. KelpDAO moved it.

We're tagging the four teams named here — @chainlink, @wormhole, @axelar, @hyperlane — because the most useful thing a brief like this can do is reach the people who can actually answer the questions inside it. Several of you may already have these answers internally. If so, this is a prompt to publish them. If not, it's a map of what to start computing.

If you're at one of these protocols and want to share what you've already done, or push back on the framing, the post is open for that. If you have questions or want to connect on cross-chain dependency mapping, DM @galbortam.

Read more