LayerZero Admits Mistake in $292 Million Kelp DAO Exploit

• LayerZero issued a public apology on Friday, conceding it should not have allowed its own verifier to secure high-value transactions tied to the $292 million Kelp DAO bridge hack on April 18.
• The protocol attributed the exploit to North Korea’s Lazarus Group, which compromised LayerZero’s internal RPC nodes and launched a DDoS attack to redirect verifier traffic to poisoned infrastructure.
• The reversal arrives as Kelp DAO migrates its rsETH bridge to Chainlink’s CCIP, with Solv Protocol moving more than $700 million in tokenized bitcoin infrastructure off LayerZero.

LayerZero said on Friday that it “made a mistake” by allowing its decentralized verifier network to secure high-value cross-chain transactions in a vulnerable single-verifier configuration, conceding partial responsibility for the $292 million Kelp DAO exploit on April 18. The admission ends three weeks of the cross-chain messaging firm publicly blaming Kelp DAO for the hack.

The reversal follows sustained pressure from Kelp, security researchers, and competing infrastructure providers. LayerZero’s first incident report on April 20 had argued the protocol “functioned exactly as intended” and pinned the breach on Kelp’s choice to run a 1-of-1 verifier setup.

Kelp DAO disputed that account on May 5, sharing screenshots it said showed LayerZero personnel signing off on the configuration during integration discussions.

“We believe developers should choose their own security configurations, but we made a mistake by allowing our DVN to act as a 1/1 DVN for high-value transactions,” LayerZero said. “We didn’t police what our DVN was securing, which created a risk we simply didn’t see.”

The exploit drained 116,500 rsETH from Kelp’s LayerZero-powered bridge and was attributed to North Korea’s Lazarus Group, specifically its TraderTraitor subunit. According to LayerZero’s incident report, attackers compromised two of the internal RPC nodes that the LayerZero Labs verifier relied on to read source-chain state. They then launched a DDoS attack against external RPC providers, forcing a failover to the poisoned infrastructure. The verifier attested to a fraudulent burn that never occurred on the source chain, releasing roughly $292 million in unbacked rsETH on Ethereum.

LayerZero outlined a series of changes in response. The LayerZero Labs DVN no longer services 1/1 configurations. Default settings on all pathways are migrating to a 5/5 setup where possible, with a 3/3 floor on chains that have only three DVNs available. The company also said it plans to raise its OneSig multisig threshold from 3-of-5 to 7-of-10 across all supported chains. It is building a second DVN client written in Rust for client diversity.

They also disclosed that a previously unreported operational security incident occurred roughly three and a half years ago. One of LayerZero’s multisig signers used a production hardware wallet to execute a personal trade. The company said they later replaced the signer and rotated the wallets.

Kelp has already migrated its rsETH bridge to Chainlink’s Cross-Chain Interoperability Protocol (CCIP). Solv Protocol said this week it is moving more than $700 million in tokenized bitcoin infrastructure off LayerZero following a fresh security review. A Dune Analytics review cited by Kelp found that 47% of active LayerZero OApp contracts were running the same 1-of-1 DVN configuration at the time of the attack. More than $4.5 billion in associated market value was exposed to the same class of risk, according to that data.

LayerZero said the exploit affected a single application. It represents roughly 0.14% of total applications on the network and 0.36% of the value of assets using the protocol. More than $9 billion has moved across LayerZero since April 19, the company added. Whether the apology slows further migrations remains the open question for issuers weighing where to anchor cross-chain rails.

Editorial Note: This news article has been written with assistance from AI. Edited & fact-checked by the Editorial Team.

Interested in advertising with CIM? Talk to us!