Kelp DAO claims LayerZero approved its 1-of-1 verifier setup, which led to a $292 million hack. LayerZero disputes this, stating the setup contradicted their security recommendations.
Mentioned in this story
Kelp DAO claims that LayerZero personnel approved the 1-of-1 verifier setup, a decision LayerZero has since cited as the reason a North Korea-linked attacker drained roughly $292 million from Kelp's rsETH bridge.
The claim runs counter to LayerZero's April 19 postmortem, which said Kelp's rsETH application relied on LayerZero Labs as its sole verifier and that the setup "directly contradicts" LayerZero's recommended multi-DVN model.
Kelp's memo says LayerZero personnel reviewed its configurations for over 2.5 years and in eight integration discussions, without warning that a 1-of-1 setup posed a material security risk.
The memo, titled “Setting the Record Straight Around the LayerZero Bridge Hack,” includes screenshots of Telegram exchanges that document LayerZero’s awareness and lack of objection to Kelp’s verifier setup.
One screenshot shows a LayerZero team member saying: “No problem on using defaults either — just tagging [redacted] here since he mentioned you may have wanted to use a custom DVN setup for verifying messages, but will leave that to your team!” Kelp says the “defaults” referenced in the exchange were the 1-of-1 LayerZero Labs DVN configuration later cited by LayerZero as the application-level setup that enabled the exploit.
CoinDesk could not independently authenticate the screenshot.
Kelp also points to LayerZero's bug bounty scope, OFT Quickstart and developer examples as evidence that LayerZero treated verifier-network choices as application-level configuration while showing builders a one-DVN setup.
LayerZero's published bug bounty scope on Immunefi excludes from rewards "impacts to OApps themselves as a result of their own misconfiguration," including verifier networks and executors.
The LayerZero OFT Quickstart and the official OFT example configuration on GitHub show LayerZero Labs as the required DVN, with no optional DVN set.
Kelp's memo cites an April 19 post from Spearbit security researcher Sujith Somraaj, in which Somraaj said he had submitted a bug bounty report describing the same attack pattern and that LayerZero rejected it.
The hack was attributed to Kelp's use of a 1-of-1 verifier setup, which LayerZero claims contradicted their recommended security practices.
LayerZero personnel reviewed Kelp's configurations for over 2.5 years during eight integration discussions.
Kelp's memo includes screenshots of Telegram exchanges showing LayerZero's awareness and lack of objection to the 1-of-1 verifier setup.
LayerZero states that Kelp's application relied solely on their verifier, which they claim directly contradicts their recommended multi-DVN model.
Cloudflare's Chief Strategy Officer, Stephanie Cohen, stated that AI agents are disrupting traditional web economics by keeping users within automated workflows instead of directing them to original content. To address this, Cloudflare is developing x402, an open payments protocol to help websites manage automated traffic.
Anthropic's AI reveals software flaws; CEO warns of urgent cybersecurity risks.
Kraken is 80% ready for IPO and partners with MoneyGram to bridge crypto-to-cash gap.
State Street's head of digital assets emphasizes the need for improved blockchain security for institutions following recent DeFi attacks, including a $295 million exploit. He calls for clear interoperability and legal frameworks for tokenized assets.
A $737M inflow on Friday reverses a $619M outflow earlier in the week.
Drift Protocol outlines repayment plan for users after $295 million hack linked to North Korea.
See every story in Crypto — including breaking news and analysis.
"My bug bounty: not a vuln, requires all DVNs," Somraaj wrote on X. "Their deployment: removes the 'all' part. Hackers: collects $295M bounty instead." Somraaj is a prior LayerZero auditor, according to his Cantina profile.
Kelp also said it is moving rsETH off LayerZero to Chainlink's Cross-Chain Interoperability Protocol. The shift moves rsETH from LayerZero's OFT standard to Chainlink's Cross-Chain Token standard.
The exploit drained 116,500 rsETH, worth roughly $292 million, from Kelp's LayerZero-powered bridge. Two additional forged transactions totaling more than $100 million were signed and processed by the LayerZero Labs DVN before Kelp paused its contracts, the protocol said.
LayerZero said attackers are likely linked to North Korea's Lazarus Group, who accessed the list of RPCs used by the LayerZero Labs DVN, compromised two RPC nodes and swapped out the binaries running on them.
The attackers then launched a DDoS attack against uncompromised RPC nodes, forcing a failover to the poisoned ones. LayerZero said the DVN then confirmed transactions that had not occurred.
Kelp argues the 1-of-1 setup was widespread. CoinGecko, citing Dune Analytics data, said 47% of roughly 2,665 active LayerZero OApp contracts ran a 1-of-1 DVN configuration over a 90-day period ending around April 22, with more than $4.5 billion in associated market value exposed to the same class of risk.
LayerZero's postmortem said the protocol "functioned exactly as intended." The company said it would no longer sign messages for any application running a 1-of-1 configuration, a policy change that took effect after the hack.
Kelp alleges that its team had to flag the exploit to LayerZero rather than the other way around, raising questions about LayerZero's monitoring.
The memo also alleges substantial overlap in addresses granted ADMIN_ROLE on both the LayerZero Labs DVN and the Nethermind DVN, listing ten on April 8, 2026 and five additional on February 6, 2025. CoinDesk has not independently verified the onchain claim.
LayerZero did not respond to a request for comment by publication.
On at least two integrated chains, Dinari and Skale, the LayerZero Labs DVN is still listed as the only available attestor, according to the documentation.