Kelp DAO has publicly accused LayerZero of approving the 1-of-1 verifier configuration that enabled a $292 million bridge exploit, even as the DeFi lending protocol announces a complete migration to Chainlink’s cross-chain infrastructure. The claims, made in a detailed memo titled “Setting the Record Straight Around the LayerZero Bridge Hack,” directly contradict LayerZero’s own postmortem, which blamed Kelp’s single-verifier setup as a misconfiguration that “directly contradicts” its recommended multi-Decentralized Verifier Network (DVN) model.
According to Kelp, LayerZero personnel reviewed its configurations for over 2.5 years across eight integration discussions without raising any warnings about the security risk. The memo includes screenshots of Telegram exchanges, including one where a LayerZero team member said: “No problem on using defaults either — just tagging [redacted] here since he mentioned you may have wanted to use a custom DVN setup for verifying messages, but will leave that to your team!” Kelp asserts that these “defaults” were exactly the 1-of-1 LayerZero Labs DVN setup that ultimately allowed the attack. The exploit, attributed to North Korea’s Lazarus Group, drained 116,500 rsETH worth roughly $292 million from Kelp’s LayerZero-powered bridge. Two additional forged transactions totaling over $100 million were signed by the LayerZero Labs DVN before the protocol paused its contracts.
Kelp further points to LayerZero’s bug bounty scope, OFT Quickstart, and developer examples as evidence that the single-DVN configuration was treated as a standard application-level choice. A prior LayerZero auditor, Sujith Somraaj, claimed he submitted a bug bounty report describing the same attack pattern, which LayerZero rejected. Data from Dune Analytics showed that 47% of about 2,665 active LayerZero OApp contracts were running a 1-of-1 DVN configuration, exposing over $4.5 billion in market value to similar risk.
In response, Kelp is moving rsETH off LayerZero to Chainlink’s Cross-Chain Interoperability Protocol (CCIP) and adopting Chainlink’s Cross-Chain Token (CCT) standard. A Chainlink representative noted this makes Kelp the first major protocol to leave LayerZero since the exploit. Chainlink’s decentralized oracle networks require at least 16 independent node operators to validate cross-chain transactions, directly addressing the architectural vulnerability at the heart of the hack. LayerZero, which contributed 10,000 ETH to the DeFi United effort aimed at restoring rsETH’s backing, has announced it will no longer sign messages for single-verifier setups—a policy change enforced after the incident.
