Kelp DAO Points Finger at LayerZero After $292M Bridge Exploit, Switches to Chainlink

Table of Contents A major security incident struck Kelp DAO on April 18, resulting in the loss of approximately $292 million when malicious actors successfully siphoned 116,500 rsETH tokens through the protocol’s LayerZero-integrated bridge infrastructure. After the recent LayerZero exploit, we are taking steps to ensure rsETH is fully secure, which is why we are migrating to @chainlink CCIP. From the April 18 incident, it is clear that LayerZero's own infrastructure was exploited, resulting in $300M in losses across DeFi.… https://t.co/beIrfZZLlh — Kelp (@KelpDAO) May 5, 2026 Following the initial theft, the perpetrators deployed the stolen tokens as collateral within Aave v3, enabling them to extract wrapped Ether. Before Kelp could freeze its smart contracts, two fraudulent transactions exceeding $100 million in combined value were successfully executed. LayerZero attributed the attack to North Korea’s notorious Lazarus Group. According to reports, the threat actors obtained the registry of RPC nodes operated by the LayerZero Labs DVN, successfully infiltrated two servers, and replaced their operational software. Subsequently, they orchestrated a distributed denial-of-service (DDoS) assault on the uncompromised nodes, redirecting network traffic to the corrupted infrastructure. The manipulated DVN then validated fraudulent transactions that never legitimately took place on the blockchain. The security incident has ignited a contentious public confrontation between Kelp DAO and LayerZero regarding accountability for the exploited vulnerability. In LayerZero’s April 19 incident analysis, the platform stated the breach occurred due to Kelp’s bridge operating with a solitary decentralized verifier network (DVN) instead of deploying multiple independent verification layers. LayerZero characterized this as a configuration that “directly contradicts” its security recommendations. Kelp DAO issued a rebuttal on Tuesday, releasing documentation asserting that LayerZero staff evaluated its technical configuration throughout 2.5 years spanning eight separate integration consultations, never raising concerns about the single-verifier architecture. Kelp provided screenshots of Telegram communications purportedly demonstrating a LayerZero representative accepting the configuration without raising objections. CoinDesk was unable to authenticate these screenshots independently. Kelp further referenced Dune Analytics intelligence indicating that 47% of approximately 2,665 operational LayerZero contracts employed an identical 1-of-1 DVN architecture during a 90-day period concluding around April 22. These contracts collectively represented over $4.5 billion in associated market capitalization. Sujith Somraaj, a security analyst and former LayerZero auditor, disclosed that he had previously submitted a vulnerability report detailing the identical attack methodology prior to the exploit. According to Somraaj, LayerZero dismissed his submission. LayerZero CEO Bryan Pellegrino responded on X, characterizing numerous claims from Kelp as “just completely untrue.” Pellegrino stated that Kelp initially deployed the recommended multi-DVN default configuration and subsequently manually reconfigured it to the 1-of-1 setup. He indicated that comprehensive postmortem documentation from independent security organizations would be released imminently. In an official statement, a LayerZero representative confirmed that protocol defaults throughout nearly all operational pathways utilize multi-DVN architecture. The representative explained that where 1-of-1 configurations appear in development templates, they reference a “DeadDVN” that blocks messages and requires developers to implement proper configuration before production deployment. LayerZero further declared it would discontinue message signing for any application operating with a 1-of-1 configuration—a policy implemented immediately following the security breach. Kelp asserts that its internal team independently identified and reported the vulnerability to LayerZero, contrary to LayerZero’s version of events. Kelp is presently transitioning rsETH from LayerZero’s OFT standard to Chainlink’s Cross-Chain Token standard through its Cross-Chain Interoperability Protocol. According to current technical documentation, on at least two integrated blockchain networks—Dinari and Skale—the LayerZero Labs DVN continues to function as the sole designated attestor.