LayerZero says it ‘made a mistake’ in $292 Million Kelp exploit

LayerZero said late Friday U.S. time that it “made a mistake” allowing its own verification infrastructure to secure high-value crypto assets in a vulnerable configuration, marking a notable shift in tone after weeks of blaming developer Kelp DAO for a $292 million hack tied to North Korean attackers.

The admission marks a notable shift after weeks of public finger-pointing between LayerZero and Kelp over responsibility for the April hack, which LayerZero had initially framed as an application-level configuration failure by Kelp.

“First things first: an overdue apology,” LayerZero wrote in a blog published Friday.

LayerZero initially blamed Kelp, arguing the protocol had chosen a risky “1-of-1” configuration in which only a single decentralized verifier network, or DVN, needed to approve cross-chain transfers, creating a single point of failure. A DVN is part of the infrastructure that verifies whether a transaction moving assets between blockchains is legitimate.

“We made a mistake by allowing our DVN to act as a 1/1 DVN for high-value transactions,” the company said. “We didn't police what our DVN was securing, which created a risk we simply didn't see. We own that.”

To counter this, LayerZero Labs said its DVN will no longer service 1/1 DVN configurations. Additionally, "all defaults on all pathways are being migrated to 5/5 where possible and no less than 3/3 on any chain where only 3 DVNs are available," the blog said.

Cross-chain bridges act like digital transfer rails between otherwise separate blockchain networks, but have long been among crypto’s most vulnerable pieces of infrastructure.

LayerZero maintained that its underlying protocol was not compromised and reiterated that developers are ultimately responsible for configuring their own security assumptions.

“The LayerZero protocol remained unaffected,” the company said, attributing the exploit to an attack on internal RPC infrastructure used by the LayerZero Labs DVN, while external RPC providers were simultaneously hit with distributed denial-of-service attacks.

Additionally, Layer Zero said that three and a half years ago, one of its signers on our multisig used their multisig hardware wallet to perform a personal trade, intending to use their own personal hardware wallet. It is taking action against such moves and said, "This is obviously not ok."

"This signer was removed from the multisig, wallets rotated, and we’ve since updated our security practices around signing devices, added localized anomaly detection software on each device, and created a custom-built multisig called OneSig."

Competitors, including Chainlink, are using the fallout to win business from protocols rethinking their security providers.

Kelp has already moved its rsETH bridge to Chainlink’s competing Cross-Chain Interoperability Protocol, while Solv Protocol said this week it is migrating more than $700 million in tokenized bitcoin infrastructure away from LayerZero following a fresh security review.