Kelp DAO has accused LayerZero of approving a risky verifier setup that led to a $292 million exploit linked to North Korean hackers. This incident forced Kelp to migrate its rsETH from LayerZero's OFT standard to Chainlink's Cross-Chain Interoperability Protocol (CCIP). The hack drained 116,500 rsETH, and Kelp asserts that the setup was reviewed by LayerZero personnel for over 2.5 years without warning of potential security risks.

Kelp's memo, titled "Setting the Record Straight Around the LayerZero Bridge Hack," claims that LayerZero personnel were aware of the 1-of-1 verifier configuration, which LayerZero later deemed a significant security flaw. The memo includes screenshots of communications that Kelp believes demonstrate LayerZero's approval of this setup. According to the report, LayerZero's April 19 postmortem criticized Kelp for relying on a single verifier, contradicting its recommended multi-DVN model.

LayerZero's bug bounty scope excludes rewards for impacts due to misconfigurations made by applications like Kelp. This situation raises questions about LayerZero's oversight and monitoring capabilities, especially since Kelp had to inform LayerZero about the exploit. The consequences of this hack are significant, as it not only affected Kelp but also exposed a vulnerability that may affect nearly half of active LayerZero OApp contracts, representing over $4.5 billion in market value.

The exploit involved a sophisticated attack by the North Korea-linked Lazarus Group, which compromised two RPC nodes and launched a DDoS attack. LayerZero's postmortem stated that their protocol functioned as intended, but Kelp's claims suggest a deeper issue of accountability and security standards within the ecosystem. The transition of rsETH to Chainlink may indicate a shift in trust among developers in the cross-chain interoperability landscape, as security concerns continue to mount.

Kelp's memo highlights the problematic nature of LayerZero's approval process, asserting that during eight integration discussions over 2.5 years, officials from LayerZero did not express any concerns regarding the 1-of-1 verifier setup. This absence of caution raises alarms about the due diligence practices within LayerZero, especially in light of the fact that the approved configuration was ultimately exploited in a high-stakes attack.

The screenshots included in the memo further detail the communication between Kelp and LayerZero, with one notable exchange indicating a level of comfort with the defaults being used. Kelp claims that LayerZero personnel explicitly stated, "No problem on using defaults either," thereby implying that the 1-of-1 setup was an acceptable configuration. This statement, along with others, forms the crux of Kelp's argument that LayerZero personnel not only approved the 1-of-1 setup but also contributed to the risk that culminated in the exploit.

LayerZero's bug bounty framework, which explicitly excludes implications of misconfigurations made by applications, raises additional questions about accountability. If a protocol’s own recommendations are not enforced or properly communicated, how can developers be expected to secure their applications effectively? Kelp’s decision to migrate to Chainlink’s CCIP is not just a precautionary measure but a significant statement about the perceived reliability of LayerZero's infrastructure and security protocols.

MORE FROM COINTIMES

Tokens Linked to Anthropic and OpenAI Plummet Amid Validity Concerns

Tokens for Anthropic and OpenAI saw sharp declines after validity issues arose regarding their backing structures. This raises critical questions about market stability and regulatory clarity.

The exploit drained 116,500 rsETH, translating to approximately $292 million, illustrating the severe financial impact on Kelp. Moreover, the attackers executed additional forged transactions, exceeding $100 million, which were signed and processed by the LayerZero Labs DVN before Kelp paused its contracts. This sequence of events raises the specter of not just a single exploit but a systemic vulnerability within the LayerZero ecosystem, which Kelp argues could potentially affect a large portion of the contracts utilizing a similar setup.

The North Korean Lazarus Group, known for its sophisticated cyber-attacks, is suspected to have been behind this exploit. By compromising two RPC nodes and executing a DDoS attack against uncompromised nodes, the attackers were able to force a failover to the poisoned nodes. LayerZero confirmed that the DVN then processed unauthorized transactions that had not occurred, showcasing a clear failure in the verification process that should have prevented such an exploitation scenario.

Kelp's allegations of substantial overlap in ADMINROLE addresses between LayerZero Labs DVN and other networks, such as Nethermind, further complicate the narrative surrounding the exploit. By pointing out ten overlapping addresses as of April 8, 2026, and five more on February 6, 2025, Kelp is questioning the integrity of LayerZero's administrative structure and the potential consequences of such overlaps.

LayerZero’s postmortem asserted that their protocol “functioned exactly as intended,” a statement that raises eyebrows given the magnitude of the exploit. Kelp's assertions that the monitoring capabilities of LayerZero were inadequate further underline a significant gap in the security framework of cross-chain protocols. The apparent disconnect between LayerZero’s operational claims and Kelp’s lived experience serves as a critical reminder of the challenges that exist in ensuring robust security across decentralized finance protocols.

The situation is exacerbated by the fact that Kelp had to flag the exploit to LayerZero, rather than the other way around. This reactive approach to security raises concerns about the proactive measures that LayerZero has in place to identify and mitigate threats. If developers are left to self-report security breaches, it may indicate a lack of comprehensive monitoring and alert systems designed to catch vulnerabilities before they are exploited.

Kelp's transition to Chainlink’s CCIP signifies a pivotal moment in the ongoing discussions around security in cross-chain interoperability. As more developers and projects reconsider their dependencies on LayerZero, the potential for a broader shift in the ecosystem looms large. With nearly 47% of active LayerZero OApp contracts reportedly utilizing a 1-of-1 DVN configuration, according to CoinGecko and Dune Analytics data, the implications of this exploit reach far beyond Kelp alone, potentially affecting a vast swath of the decentralized finance landscape.

This incident serves as a cautionary tale for both developers and investors in the decentralized finance ecosystem. As attackers adapt and evolve their tactics, the necessity for robust security measures becomes more critical than ever. Kelp's experience illustrates the precariousness of cross-chain protocols, highlighting the need for clear communication and stringent security standards between protocols and their applications. The ongoing developments in this situation could have lasting implications for how cross-chain protocols are designed, monitored, and audited in the future, thereby shaping the landscape of decentralized finance as a whole.