LayerZero is dealing with heavy criticism for its response to the latest $290 million KelpDAO exploit after the omnichain interoperability protocol blamed Kelp’s 1-of-1 verifier configuration for the incident.
Associated Studying
LayerZero Blames KelpDAO For $290M Exploit
Over the weekend, liquid restaking protocol KelpDAO was the sufferer of an assault that drained over $290 million in rsETH from the undertaking after malicious actors exploited a weak spot within the protocol’s LayerZero-powered bridge.
Two days later, LayerZero addressed the incident, which grew to become the biggest DeFi hack of 2026, simply weeks after Drift Protocol’s $285 million exploit shocked the business.
LayerZero attributed the “highly sophisticated attack” to North Korea’s Lazarus Group, claiming that it was a crypto infrastructure assault quite than a protocol exploit, and affirming that “there is zero contagion to any other cross-chain assets or applications.”
They defined that the protocol is constructed on a “foundation of modular, application-configurable security,” utilizing Decentralized Verifier Networks (DVNs), unbiased entities accountable for verifying the integrity of cross-chain messages.
The malicious actors allegedly poisoned downstream RPC infrastructure by “compromising a quorum of the RPCs the LayerZero Labs DVN relied upon to verify transactions.”
Per the submit, the attackers swapped binaries for a customized payload to forge messages and used DDoS assaults to pressure failover to the poisoned nodes, triggering the DVN into confirming faux transactions.
Based mostly on this, LayerZero positioned duty on KelpDAO for utilizing a 1-of-1 verifier configuration as a substitute of the multi-DVN suggestions: “This incident was isolated entirely to KelpDAO’s rsETH configuration as a direct consequence of their single-DVN setup.”
Crypto Community Criticizes ‘Lack Of Accountability’
The crypto group reacted to the autopsy, sharing its issues about LayerZero’s response and criticizing the protocol for putting all duty solely on Kelp’s safety setup.
“Imagine building a bridge and vehicles pays to cross, the bridge collapsed and you said it’s their fault for crossing the bridge. A classic clownery act from Bunch of clowns with zero accountability,” X consumer Saint wrote.
Others questioned why LayerZero included a “1-of-1” configuration if the aim of a DVN is customizable/modular safety. “If the system allows this option, it’s not the fault of the customer who chose it—it’s a fundamental design flaw by the system that permitted it,” consumer Ditto wrote.
“At the end of the day, the fact remains that the DVN RPC was compromised. DVN is a LayerZero product, and they are the ones who sold it to these teams,” he continued.
Equally, Chainlink group supervisor Zach Rynes accused the protocol of deflecting duty for the compromise of their very own DVN node.
He additionally criticized them for “throwing KelpDAO under the bus” for trusting LayerZero Labs’ setup that they “willingly support and only blocked after getting hacked, all while claiming everything worked as designed.”
In the meantime, Yearn Finance core workforce developer Artem Okay famous on X that the assault was described as a compromise of an RPC node and RPC poisoning, however that their very own infrastructure is what was compromised. “Given it doesn’t say how the breach has occurred, I wouldn’t rush re-enabling the bridges,” he added.
Unsuitable Prognosis, Unsuitable Repair?
Analyst The Good Ape additionally claims that LayerZero made the unsuitable analysis and provided the unsuitable resolution. Notably, the protocol’s autopsy prompt migrating all functions with 1-of-1 DVN configurations to multi-DVN setups to stop comparable assaults.
Nonetheless, the analyst identified that multi-verifiers gained’t cease the following multi-million-dollar assault, asserting that they may fail as all DVNs learn chain states from the identical handful of RPC suppliers, that are largely clustered on AWS or GCP.
If 5 “independent” DVNs learn from the identical three RPC suppliers, an attacker who poisons these three RPCs will poison all 5 verifiers concurrently. “If all your verifiers get fooled in the same way at the same time, the math collapses back to 1-of-1. Five clones are not five witnesses,” he added.
Associated Studying
To unravel this, the analyst prompt that each verifier runs its personal full node on totally different shopper software program, hosted on totally different cloud suppliers, maintained by totally different ops groups, peered with totally different subsets of the Ethereum community.
“The fix isn’t multi-anything. The fix is that verifiers should attest to their own substrate, not just to chain state. until you can audit a DVN’s upstream topology, which RPC providers, which client software, which clouds, which regions, ‘M-of-N secured’ is marketing copy for a property that hasn’t actually been built. Lazarus didn’t break cryptography on April 18. They broke three servers,” he concluded.
Featured Picture from Unsplash.com, Chart from TradingView.com
