Kelp DAO blames LayerZero infrastructure for the $292 million loss and has launched a $71 million lawsuit.
KelpDAO has publicly accused LayerZero of being responsible for the $292 million mining exploit that occurred in April, and announced it will redeploy its cross- chain system on the Chainlink platform, a decision made amid a technical dispute that has escalated into a $71 million federal lawsuit.
According to Kelp, the attack originated from malicious actors gaining control of RPC nodes in LayerZero's validation network, thereby forcing the system to rely on manipulated data and allowing fraudulent transactions to be approved. As a result, approximately 116,500 rsETH, Staking Token on Ethereum, were withdrawn from the chain bridge.
The exploitation is believed to be linked to North Korea's Lazarus Group. Kelp cites independent reports from SEAL 911, Chainalysis, and numerous security researchers to support the argument that LayerZero's own infrastructure, not Kelp's configuration, was the point of origin.
Controversy surrounding one-on-one authentication configurations.
The crux of the dispute is the setup known as a one-to-one validator, where only a single entity has the authority to validate all cross- chain transactions. Kelp claims this configuration was directly approved by LayerZero personnel without warnings about security risks, and cites data showing that a similar configuration is widely used across the LayerZero ecosystem, rather than being unique to his own.
Kelp also noted that following the exploit, LayerZero announced it would stop signing messages for any applications still using the DVN 1-1 configuration, a move Kelp considered indirect evidence of acknowledging the system vulnerability.
LayerZero countered, claiming the exploit was limited to Kelp's rsETH application and stemmed from Kelp's choice of a single authentication model, contrary to the company's recommendation of multiple authentication. However, LayerZero has not yet issued an official response to the latest allegations.
The legal implications of the case are becoming increasingly complex. Approximately $71 million worth of related cryptocurrency assets have been frozen on the Arbitrum network, triggering a lawsuit in New York federal court, bringing Capital disputes typically confined to the open-source space into the traditional justice system. This is a rare development in the DeFi industry, where most disputes remain handled internally or through decentralized governance mechanisms.
In response, Kelp said it is migrating its entire rsETH system to Chainlink 's Cross- Chain Interoperability Protocol (CCIP), where transactions must be approved by multiple independent validators. Johann Eid, Chainlink's Chief Business Officer, confirmed the commitment to supporting the transition and stressed that a robust security infrastructure is a prerequisite for DeFi to bring trillions of dollars worth of assets onto the chain.
Kelp's decision reflects a growing trend in the industry: after every major incident, trust is no longer placed in promises of security, but in independently verifiable system architecture.
