TL;DR
Magma Devs is partnering with Hashlock, Hacken, Hexens and Cyfrin to help close RPC Security Gaps in the industry.
The exploit that didn't break a contract
The $292M KelpDAO exploit didn't break a smart contract. KelpDAO's OFTAdapter passed its audit. So did LayerZero's contracts.
A lot went wrong. The attackers, attributed by LayerZero to the Lazarus Group, appear to have gained deep access to LayerZero's internal infrastructure, possibly through social engineering or a separate compromise. From there, they were able to poison the RPC nodes feeding LayerZero's verifier, while DDoS'ing the clean ones to force failover. KelpDAO's 1-of-1 DVN setup did the rest.
There's no single root cause here. Internal access controls, operational security, DVN configuration, and RPC integrity all failed in sequence. RPC security wasn't the only layer that broke, but it is a fundamental security layer that was lacking, and allowed an internal compromise to turn into a $292M loss
The attack surface is moving
For years, smart contract audits have been treated as the bar for security. They are necessary, and they are not sufficient. Modern DeFi protocols and crypto-native financial institutions are built on top of off-chain infrastructure that gets nowhere near the same scrutiny as the code itself: key management, cybersecurity posture, operational practices, and increasingly - the RPC layer.
Every DVN or other on-chain component ultimately operates based on RPC data. If those sources are compromised or share substrate, everything built on top is potentially compromised as well.
Most applications don't have sufficient guards in place to validate RPC data before it is being acted on.
Raising the bar
The bar needs to rise. Companies handling user funds need to operate at higher standards across the full stack — and that means treating RPC security as a first-class concern, not an afterthought. Cross-validation across independent sources. Quorum requirements that include external nodes, not just internal ones. Cryptographic proofs where they're available. Failover systems that fail over to something defensible, not just something available.
Closing the gap
The good news is that some of the most rigorous teams in the space are already moving on this. The security firms we're partnering with Cyfrin, Hacken, Hashlock and Hexens have built their reputations on auditing the largest protocols in crypto.
They're now extending that same rigor beyond the contract layer, helping their clients close operational and infrastructure gaps that audits were never designed to cover.
That's the shift the industry needs. Security as a continuous operational standard, not a checkpoint before launch.