What Did LayerZero Admit About the Kelp DAO Exploit?
LayerZero issued a public apology Friday over its handling of the April 18 exploit that drained roughly $292 million in rsETH from Kelp DAO’s cross-chain bridge, reversing the tone of its earlier statements that said the protocol had “functioned exactly as intended.”
“We’ve done a terrible job on comms over the past three weeks,” the company wrote in a blog post cross-posted to X. “We wanted to prioritize completeness in the form of a comprehensive post-mortem, but we should have led with directness.”
The protocol attributed the attack to North Korea’s Lazarus Group, saying attackers compromised internal RPC nodes used by its Decentralized Verifier Network while simultaneously launching DDoS attacks against external RPC providers. According to LayerZero, this forced the verifier system onto compromised infrastructure, allowing fraudulent cross-chain messages to be approved.
The company also conceded that it should never have allowed its own DVN to act as the sole verifier for high-value transactions.
“We believe developers should choose their own security configurations, but we made a mistake by allowing our DVN to act as a 1/1 DVN for high-value transactions,” LayerZero wrote.
Why Did the 1/1 DVN Configuration Become So Controversial?
The admission represents a major reversal from LayerZero’s initial response, which placed responsibility on Kelp DAO for selecting a single-verifier setup. Kelp DAO disputed that account, arguing that LayerZero’s own documentation and onboarding materials promoted the configuration as a default setup.
A Dune analysis cited by Kelp DAO found that 47% of roughly 2,665 active LayerZero OApp contracts were using the same configuration at the time of the exploit.
The dispute exposed broader concerns around default security assumptions in cross-chain infrastructure. While protocols often market modular security options, developers frequently rely on recommended templates and quickstart configurations when deploying applications.
LayerZero said the exploit affected only one application, representing around 0.14% of total applications on the network and about 0.36% of total asset value bridged through the protocol.
Investor Takeaway
What Additional Security Problems Did LayerZero Reveal?
LayerZero also disclosed a previously unreported operational security incident from roughly three and a half years ago involving one of its multisig signers. According to the company, the signer accidentally used a production hardware wallet to execute a personal trade instead of a separate personal device.
The company said the signer was removed, wallets were rotated, and anomaly detection software was later added to signing devices.
The disclosure arrives amid wider scrutiny over operational controls tied to LayerZero’s multisig infrastructure. Onchain researchers and security figures had previously flagged transactions suggesting production multisig wallets were used for unrelated decentralized exchange activity.
LayerZero CEO Bryan Pellegrino later said those transactions were tied to testing activity by former signers who have since been removed.
Investor Takeaway
What Changes Is LayerZero Making After the Exploit?
LayerZero said its Labs DVN will no longer support 1/1 verifier configurations. Default settings across pathways are being migrated toward setups requiring at least five verifiers where possible, with a minimum threshold of three verifiers on smaller chains.
The protocol is also building a second DVN client in Rust to improve client diversity and reworking its RPC architecture to allow more granular quorum controls across internal and external node providers.
On the governance side, LayerZero plans to raise its multisig threshold from 3-of-5 to 7-of-10 using OneSig, an open-source multisig tool introduced last year. The system allows signers to locally hash transactions before signing, reducing the risk of unauthorized transaction insertion.
The company is additionally building a monitoring platform called Console to help asset issuers configure security settings and identify risky deployments through anomaly detection.
How Has the Exploit Impacted LayerZero’s Market Position?
The fallout has already affected LayerZero’s competitive standing in the cross-chain market. Kelp DAO announced earlier this week that it would migrate its infrastructure to Chainlink’s CCIP, becoming the first major protocol to leave LayerZero after the exploit.
Solv Protocol later followed, saying it would move more than $700 million in tokenized bitcoin infrastructure away from LayerZero due to security concerns.
At the same time, the DeFi United recovery initiative created after the exploit has raised more than $300 million in ETH and stablecoins. LayerZero contributed 10,000 ETH, split between a donation and a loan to Aave, which faces an estimated $124 million to $230 million in bad debt linked to the incident.
LayerZero said a full post-mortem will be released after external security partners complete their investigations.
