The crypto world is buzzing, and no cap, Kelp DAO is straight up calling out LayerZero after a gnarly $292 million hack drained its rsETH bridge. LayerZero’s post-mortem pointed fingers at Kelp’s 1-of-1 verifier setup as the culprit, a move they claimed ‘directly contradicts’ their recommended multi-DVN model. But Kelp DAO is not having it, alleging LayerZero personnel approved this configuration across 2.5 years and eight discussions. This ‘LayerZero bridge blame’ narrative exposes serious fault lines in DeFi security.
Kelp’s detailed memo, ‘Setting the Record Straight Around the LayerZero Bridge Hack,’ dropped serious receipts, including Telegram chat screenshots. These show LayerZero team members giving the green light to using ‘defaults’ which Kelp asserts referred to the 1-of-1 LayerZero Labs DVN setup. For real, this isn’t just a miscommunication; it suggests a deep issue where a setup later blamed for a massive exploit was rubber-stamped, potentially leaving users in a ‘sketchy’ situation.
What’s even wilder is Kelp’s argument that LayerZero’s own documentation—like its bug bounty scope, OFT Quickstart, and developer examples—actually showcased or even required a one-DVN setup. It’s giving mixed signals when official guides promote a configuration later deemed a security risk. The bug bounty program excludes ‘misconfiguration’ from rewards, yet if templates encouraged such a setup, it raises serious questions about ‘on point’ security practices.
Adding another layer to this drama, security researcher Sujith Somraaj, a former LayerZero auditor, has chimed in. He claims he submitted a bug bounty report describing the exact attack pattern exploited, but it was allegedly dismissed by LayerZero as ‘not a vuln’ because it ‘requires all DVNs.’ Then, Kelp’s deployment removes the ‘all’ part, and boom, hackers collect a nearly $300 million bounty. It’s like, dude, if someone flags a fire hazard and you ignore it, you can’t just blame the building owner when the whole place goes up in smoke.
In a decisive move following the exploit, Kelp announced its migration of rsETH assets off LayerZero to Chainlink’s Cross-Chain Interoperability Protocol (CCIP). This isn’t just a minor tweak; it’s a significant shift from LayerZero’s OFT standard to Chainlink’s Cross-Chain Token standard, signaling a loss of trust and a tangible move away from the embattled protocol. This kind of big-money migration can have ripple effects across the ecosystem.
The actual exploit was straight up elaborate: North Korea’s Lazarus Group allegedly compromised two RPC nodes used by the LayerZero Labs DVN, swapped out binaries, then launched a DDoS attack against uncompromised nodes to force a failover to the poisoned ones. This allowed the DVN to confirm transactions that never actually happened, fabricating the drain of 116,500 rsETH. Data suggests this 1-of-1 DVN configuration was shockingly widespread, with 47% of active LayerZero OApp contracts, over $4.5 billion in market value, exposed to the same class of risk. That’s massive exposure, highkey.
LayerZero’s post-mortem stated the protocol ‘functioned exactly as intended,’ which, lowkey, sounds pretty wild when $292 million just vanished. They have since changed their policy to no longer sign messages for any application running a 1-of-1 configuration, a move that only came *after* the hack. Kelp further alleges that their team, not LayerZero, had to initially flag the exploit, raising serious questions about LayerZero’s internal monitoring capabilities. The crypto community is watching closely, periodt.
If you enjoyed this article, share it with your friends or leave us a comment!
Darius Zerin specializes in business strategy, entrepreneurship, and market trends. He covers everything from startups to global finance, offering practical insights and forward-thinking analysis. His writing is designed to help readers stay ahead in a constantly evolving economic landscape.
