Kelp DAO Points Finger at LayerZero After $292M Bridge Exploit, Switches to Chainlink

Table of Contents A devastating security breach struck DeFi platform Kelp DAO on April 18, resulting in the loss of approximately $292 million when malicious actors siphoned 116,500 rsETH tokens through its LayerZero-integrated bridge infrastructure. After the recent LayerZero exploit, we are taking steps to ensure rsETH is fully secure, which is why we are migrating to @chainlink CCIP. From the April 18 incident, it is clear that LayerZero's own infrastructure was exploited, resulting in $300M in losses across DeFi.… https://t.co/beIrfZZLlh — Kelp (@KelpDAO) May 5, 2026 Following the initial theft, the perpetrators deployed these stolen tokens as collateral within Aave v3’s lending protocol to extract wrapped Ether. Before Kelp could freeze its smart contracts, the attackers successfully executed two additional fraudulent transactions exceeding $100 million in combined value. LayerZero attributed the attack to the notorious Lazarus Group operating from North Korea. According to reports, the threat actors obtained access to the RPC node roster utilized by LayerZero Labs’ DVN, successfully infiltrated two nodes, and replaced their operational software with malicious code. The attackers subsequently initiated a distributed denial-of-service (DDoS) assault on the uncompromised nodes, redirecting network traffic toward the infected infrastructure. The hijacked DVN then validated fabricated transactions that never legitimately took place on the blockchain. This security incident has ignited an intense public disagreement between Kelp DAO and LayerZero regarding accountability for the exploitable weakness. In LayerZero’s April 19 incident analysis, the company stated the vulnerability stemmed from Kelp’s bridge utilizing a solitary decentralized verifier network (DVN) instead of employing multiple independent verification sources. LayerZero characterized this approach as going “directly against” its security recommendations. Kelp DAO countered these assertions on Tuesday with a detailed memorandum. The protocol claimed LayerZero staff examined its infrastructure configuration throughout 2.5 years across eight separate integration consultations, yet never identified the single-verifier architecture as presenting security concerns. Kelp provided screenshot evidence of Telegram communications allegedly demonstrating a LayerZero representative acknowledging the configuration without raising objections. CoinDesk was unable to authenticate these screenshots independently. Kelp additionally referenced Dune Analytics intelligence indicating that 47% of approximately 2,665 operational LayerZero contracts employed an identical 1-of-1 DVN configuration during a 90-day period concluding around April 22. These contracts collectively represented over $4.5 billion in aggregate market capitalization. Security analyst Sujith Somraaj, who previously conducted audits for LayerZero, disclosed that he had filed a bug bounty submission detailing the identical attack methodology prior to the incident. He stated LayerZero dismissed his findings. LayerZero’s Chief Executive Bryan Pellegrino responded via X, characterizing numerous Kelp claims as “completely false.” Pellegrino maintained that Kelp initially deployed the recommended multi-DVN default configuration but subsequently modified it manually to establish a 1-of-1 setup. He promised that comprehensive incident analysis from independent security organizations would be released imminently. A LayerZero representative stated in an official communication that protocol defaults throughout nearly all integration pathways implement multi-DVN architecture. The representative explained that instances where 1-of-1 configurations appear in template code reference a “DeadDVN” function designed to block messages and compel developers to establish proper configurations before deployment. LayerZero further declared it would discontinue message signing for any application operating with a 1-of-1 configuration—a policy implemented immediately following the breach. Kelp maintains its internal security team discovered and reported the vulnerability to LayerZero, contradicting suggestions that LayerZero identified the issue first. Kelp is currently transitioning rsETH away from LayerZero’s OFT standard toward Chainlink’s Cross-Chain Token standard utilizing its Cross-Chain Interoperability Protocol. Documentation indicates that on a minimum of two integrated blockchain networks—Dinari and Skale—the LayerZero Labs DVN continues to serve as the sole designated attestor.