KelpDAO is blaming LayerZero for a $292 million exploit and plans to relaunch with a redesigned cross-chain system on Chainlink, the group announced on X on Tuesday.
“From the April 18 incident, it is clear that LayerZero's own infrastructure was exploited, resulting in $300M in losses across DeFi,” Kelp DAO wrote on X. “Independent reports from SEAL 911, Chainalysis, and other major leading security researchers all point to the same origin.”
In April, an attack drained about 116,500 rsETH—an Ethereum-based staking token—from a cross-chain bridge used by Kelp, a protocol that lets users stake Ethereum and move tokens between blockchains. The exploit has been linked to North Korea’s Lazarus Group.
In a separate post on X, Kelp said LayerZero personnel approved the configuration tied to the exploit and did not warn that it posed a security risk. The setup, known as a 1-of-1 verifier, relies on a single entity to validate cross-chain transactions.
Kelp said the attack stemmed from a breach of LayerZero’s infrastructure, where attackers compromised the verifier network’s RPC nodes and forced the system to rely on tampered data, allowing fake transactions to be approved.
“After the exploit, LayerZero announced it would no longer sign or attest messages for any application using a 1-1 DVN configuration,” Kelp wrote. “That policy shift, made after hundreds of millions of dollars were exploited, confirms that this was a widely used LayerZero configuration that LayerZero Labs only changed after it failed.”
In an April statement, LayerZero disputed that account, saying the exploit was isolated to Kelp’s rsETH application and resulted from its use of a single-verifier setup that went against the company’s recommended multi-verifier model.
“That framing does not match the facts,” Kelp DAO wrote. “It is a matter of public domain that this 1-1 setup was not unique to Kelp.”
According to Kelp, it followed LayerZero’s documentation and default configurations. The company also said the setup was widely used across the ecosystem, pointing to data showing a large share of applications relied on similar configurations.
Kelp said it is moving its rsETH system to Chainlink’s cross-chain interoperability protocol, where transactions must be approved by multiple independent validators instead of a single verifier.
"We're committed to working with the KelpDAO team on improving the cross-chain security of rsETH and supporting their migration to Chainlink CCIP," Chainlink Chief Business Officer Johann Eid told Decrypt. "We have long believed that in order for DeFi to reach its full potential of bringing trillions onchain, the ecosystem needs to be underpinned by highly secure infrastructure."
The impact of the exploit of Kelp has extended beyond the technical dispute. About $71 million in crypto linked to the exploit was frozen on the Arbitrum network, triggering a legal fight in a New York federal court.
“There are questions that the ecosystem deserves answers to,” Kelp DAO wrote. “And we are ensuring rsETH is secured by infrastructure that doesn't leave these questions open.”
LayerZero did not immediately respond to a request for comment by Decrypt.
