After a $300 million hack on April 18, 2026, KelpDAO disputed LayerZero Labs’ explanation of what happened, claiming the bridge provider was trying to avoid responsibility for problems with its own system.
-
Key Takeaways:
- Lazarus Group stole $300 million in rsETH on April 18 after breaching Layerzero’s core infrastructure.
- Over 47% of Layerzero OApps used the 1-1 DVN setup that the provider previously verified as secure.
- KelpDAO is migrating rsETH to Chainlink CCIP and the CCT standard to enhance cross-chain security.
The Dispute Over Network Configuration
KelpDAO has issued a blistering response to Layerzero Labs following an April 18 exploit that drained more than $300 million in DeFi assets, primarily in the form of rsETH. In a public statement that contradicts Layerzero’s official post-mortem, KelpDAO alleges the bridge provider is “blaming users” for a systemic failure in its own core infrastructure.
The exploit, which has been linked with high confidence to the Lazarus Group, resulted in the fraudulent minting and release of assets. While KelpDAO managed to block an additional $100 million in forged transactions by pausing contracts, the fallout has triggered a massive shift in the DeFi landscape. KelpDAO subsequently announced an immediate migration to Chainlink CCIP.
The main disagreement revolves around what caused the security breach. LayerZero claims it was a configuration problem with KelpDAO, pointing to Kelp’s use of a specific verification system where LayerZero Labs was the only validator. KelpDAO disputes this, highlighting data analysis showing that a significant number of LayerZero applications – over 1,200 – use the same potentially vulnerable verification setup.
Kelp highlights that Layerzero’s official instructions and standard templates suggest a specific configuration where Layerzero Labs is the only necessary Data Verification Network (DVN). They also shared screenshots of Telegram chats allegedly showing Layerzero team members repeatedly telling Kelp that this default setup was acceptable during discussions spanning two years.
In a post on X setting the record straight, Kelp broke down what Layerzero admits to and what it conveniently ignores in its post-mortem. According to the post, Layerzero admitted that attackers gained access to the list of RPCs its DVN uses and confirmed that two independent nodes were compromised and binaries were swapped. Furthermore, Kelp cites Layerzero’s banning of 1-1 configurations after the $300 million loss as another form of admission.
Kelp argues the official review of the incident overlooked the fact that Layerzero’s own guides led developers to use a risky configuration that was exploited. Furthermore, the review doesn’t address why Layerzero’s security systems didn’t catch the hack, meaning Kelp had to identify the problem instead.
KelpDAO stated that LayerZero incorrectly blamed its users for a problem that actually stemmed from a failure within LayerZero’s own systems.
To support its conclusion, Kelp cited independent reviews that surfaced several critical vulnerabilities allegedly present at the time of the attack. These include findings that the default deployment exposed public gateways stripped of common security measures like WAF or IP allowlists. A review by Chainalysis determined that Layerzero set a low 1-1 RPC quorum default, meaning if one node was poisoned, the DVN signed the forged message without cross-checking others.
Kelp is moving its rsETH token from Layerzero’s technology to Chainlink’s, signaling a lack of trust in Layerzero.
“Our number-one priority remains the security of our users’ assets,” KelpDAO noted, citing Chainlink’s seven-year track record and its secure decentralized oracle network.
Read More
- ETC PREDICTION. ETC cryptocurrency
- Gold Rate Forecast
- Brent Oil Forecast
- EUR CNY PREDICTION
- ONDO PREDICTION. ONDO cryptocurrency
- XRP EUR PREDICTION. XRP cryptocurrency
- GBP CHF PREDICTION
- IP/USD
- UAE’s AI Dream: 50% Government by 2025?
- Quantum Quandary: A BTC Bounty for Breaking the Unbreakable
2026-05-06 19:27