TLDR
- A devastating breach on April 18 resulted in Kelp DAO losing $292 million through its LayerZero-integrated bridge
- The attackers extracted 116,500 rsETH tokens, subsequently deploying them as collateral on Aave v3 for wrapped Ether loans
- According to Kelp, LayerZero gave approval for the single-verifier configuration that facilitated the attack
- LayerZero refutes these allegations, asserting Kelp independently switched from a multi-DVN structure to a 1-of-1 setup
- The protocol is transitioning rsETH to Chainlink’s Cross-Chain Interoperability Protocol (CCIP) infrastructure
DeFi protocol Kelp DAO suffered a catastrophic security breach on April 18, resulting in approximately $292 million in losses when malicious actors siphoned 116,500 rsETH tokens through its LayerZero-integrated bridge system.
Following the initial theft, the perpetrators leveraged the stolen tokens as collateral within Aave v3’s lending platform to secure wrapped Ether loans. The attackers managed to execute two additional fraudulent transactions exceeding $100 million in total value before Kelp DAO implemented emergency contract freezes.
LayerZero attributed the assault to North Korea’s notorious Lazarus Group. According to reports, the hackers obtained access to the RPC node registry utilized by the LayerZero Labs DVN, successfully infiltrating two nodes and replacing their operational software.
The attackers subsequently initiated a distributed denial-of-service (DDoS) campaign targeting the uncompromised nodes, redirecting network traffic toward the corrupted infrastructure. The hijacked DVN then validated fraudulent transactions that never legitimately occurred on the blockchain.
This security incident has ignited an intense public confrontation between Kelp DAO and LayerZero concerning accountability for the exploitable weakness.
The DVN Configuration Dispute
In LayerZero’s April 19 incident analysis, the company stated the vulnerability existed because Kelp’s bridge infrastructure relied on a solitary decentralized verifier network (DVN) instead of implementing multiple independent verification layers. LayerZero characterized this configuration as being in “direct contradiction” to its recommended security protocols.
Kelp DAO issued a forceful rebuttal on Tuesday. The protocol published a detailed statement asserting that LayerZero representatives examined its infrastructure configuration throughout 2.5 years across eight separate integration consultations, never once identifying the single-verifier architecture as presenting security concerns.
Kelp provided screenshots from Telegram conversations allegedly demonstrating a LayerZero team member reviewing the configuration without raising objections. CoinDesk was unable to independently authenticate these screenshots.
Kelp additionally referenced Dune Analytics information revealing that 47% of approximately 2,665 operational LayerZero contracts employed an identical 1-of-1 DVN configuration during a 90-day period concluding around April 22. This collection of contracts represented over $4.5 billion in combined market capitalization.
Security specialist Sujith Somraaj, who previously conducted audits for LayerZero, disclosed that he had filed a bug bounty submission detailing the identical attack methodology prior to the actual breach. According to Somraaj, LayerZero dismissed his report.
LayerZero Denies the Claims
LayerZero Chief Executive Bryan Pellegrino stated on X that numerous assertions made by Kelp were “just completely untrue.”
Pellegrino maintained that Kelp initially implemented the recommended multi-DVN default configuration before subsequently making manual modifications to establish a 1-of-1 arrangement. He indicated that comprehensive incident reports from independent security organizations would be released imminently.
In an official written response, a LayerZero representative clarified that protocol defaults throughout virtually all integration pathways utilize multi-DVN configurations. The representative explained that instances where 1-of-1 configurations appear in templates reference a “DeadDVN” mechanism that automatically rejects messages and instructs developers to establish proper configurations before deployment.
LayerZero further declared it would discontinue message signing services for any application operating with a 1-of-1 configuration, implementing this policy immediately following the security incident.
Kelp asserts that its internal security team independently identified and reported the vulnerability to LayerZero, contradicting any suggestion that LayerZero discovered the issue first.
Kelp is currently transitioning rsETH from LayerZero’s OFT standard to Chainlink’s Cross-Chain Token standard through its Cross-Chain Interoperability Protocol. On a minimum of two integrated blockchain networks, specifically Dinari and Skale, the LayerZero Labs DVN continues to function as the sole designated attestor based on current technical documentation.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
