LayerZero has issued a public apology regarding its handling of the aftermath of the April 18 hack, which resulted in approximately $292 million worth of rsETH being withdrawn from the Kelp DAO cross-chain bridge. This move indicates a significant shift in LayerZero's tone compared to its previous statement that its system "worked as designed."
In the blog post (published on their blog and Chia on X), LayerZero admitted to poor communication over the past few weeks. The company said they focused too much on writing a full report, but should have been upfront and clear from the start.
Regarding the cause, LayerZero stated that a portion of the data infrastructure used by their verification network was infiltrated by the Lazarus hacker group (North Korea). Specifically, internal "RPC nodes" had their data falsified. Simultaneously, the hackers launched DDoS attacks against external RPC providers, forcing the verification system to rely more heavily on the compromised data – and thus "signing" transactions that never actually occurred. LayerZero had previously attributed the incident to a Lazarus branch called TraderTraitor.
The most notable point in this statement is LayerZero's public acknowledgment of responsibility, something they previously avoided: they shouldn't have allowed DVN (LayerZero's decentralized verification network) to be the "sole validator" for high-value transactions. LayerZero says they believe projects should choose their own security configurations, but admits they were wrong to let their DVN operate on a "one-to-one" basis (only one party verifying) in high-risk situations. In other words, they didn't adequately monitor what their DVN was protecting, creating a "vulnerability" they didn't recognize.
This admission contradicts LayerZero's initial message, when they almost blamed Kelp DAO for choosing a "one-party verification only" configuration, arguing that it was a counterproductive choice.
Kelp DAO later countered, stating that LayerZero's own documentation and initial guides showed that one- Capital verification was the default setting when the project integrated. Kelp also cited an analysis on Dune showing that at the time of the attack, approximately 47% of the nearly 2,665 applications (OApps) running on LayerZero were using the same configuration.
LayerZero stated that the incident affected only one application, representing approximately 0.14% of all applications on the network and about 0.36% of the total value of assets passing through LayerZero. The company also said that since April 19th, more than $9 billion has continued to be transferred through the protocol.
The article LayerZero issues public apology after reaction to Kelp DAO hack first appeared on CoinMoi .
