In a significant turn of events in the crypto world, Kelp DAO is bracing for a confrontation with LayerZero over the aftermath of a recent $290 million exploit that struck its platform. Sources suggest that Kelp is preparing to contest the narrative put forth by LayerZero, the cross-chain messaging infrastructure involved in the incident, which seems to place blame squarely on Kelp for allegedly ignoring warnings about its single-verifier configuration.
Kelp operates as a liquid restaking protocol that processes user-deposited ether through EigenLayer, a yield-generating mechanism, and issues a receipt token, known as rsETH. LayerZero facilitates the cross-chain transfer of rsETH, employing decentralized verifier networks (DVNs) to validate transactions. However, on Saturday, attackers exploited vulnerabilities in LayerZero’s system, siphoning off 116,500 rsETH—equivalent to approximately $290 million—by compromising the very servers that LayerZero’s DVNs relied upon to authenticate cross-chain transfers.
A source close to Kelp contends that the attack was methodically orchestrated, labeling it a “sophisticated state-sponsored attack.” They argue that the compromised DVNs were part of LayerZero’s infrastructure and not external third-party verifiers. This claim pivots on the assertion that LayerZero’s servers were inundated with junk traffic, thereby forcing the verifier onto compromised servers that were vulnerable.
LayerZero had characterized Kelp’s choice of a “1/1 configuration”—where a single validator’s approval is sufficient to process a transaction—as a reckless deviation from their guidance, asserting that multiple validator configurations would have provided a safety net against such threats. However, Kelp’s representatives challenge this framing, asserting that LayerZero did not provide explicit recommendations for adjusting rsETH’s DVN configuration during their direct communications, which have been ongoing since July 2024.
The source further asserts that LayerZero’s own materials, including its quickstart guide and default codes, favor a 1/1 DVN setup, suggesting that the adoption of this configuration is not unusual, with 40% of protocols utilizing it. Kelp’s setup aligns with the example configurations found in LayerZero’s own V2 OApp Quickstart documentation.
Notably, Kelp’s core restaking contracts remained intact during the exploit; the breach was confined to the bridge layer of its infrastructure. The protocol’s emergency pause was activated 46 minutes post-attack, successfully blocking subsequent attempts that could have led to an additional $200 million loss in rsETH.
The community’s response has been critical, with leading security researchers and industry figures voicing skepticism regarding LayerZero’s portrayal of the incident. Artem K, a core developer from Yearn Finance, highlighted in his analysis that LayerZero’s default deployment settings universally adopt single-source verification across leading blockchain platforms, raising questions about the accountability and security ramifications of such a configuration.
Zach Rynes, a Chainlink community manager, bluntly accused LayerZero of shirking responsibility for the exploit, suggesting that the company was effectively “throwing Kelp under the bus” for trusting in a setup that LayerZero had itself supported. Amid the fallout, LayerZero has announced that it will cease signing messages for applications using a single-verifier setup, prompting a shift towards a multi-validator approach across the platform ecosystem.
As Kelp prepares to challenge LayerZero’s narrative, it underscores an urgent need for clarity and accountability in the rapidly evolving landscape of decentralized finance, where the stakes continue to rise in a space fraught with both opportunity and risk.
