In a significant development within the decentralized finance (DeFi) landscape, KelpDAO has publicly criticized Layerzero Labs, following a high-profile security breach on April 18 that resulted in the theft of over $300 million in DeFi assets, primarily in the form of rsETH. KelpDAO’s response counters Layerzero’s post-mortem findings, claiming the bridge provider is shifting the blame for the incident onto users rather than acknowledging failures in its core infrastructure.
The attack, attributed to the notorious Lazarus Group, involved the fraudulent minting and release of digital assets. KelpDAO, meanwhile, was able to block an additional $100 million in fraudulent transactions by pausing its contracts swiftly after the exploit was detected.
Central to the dispute between KelpDAO and Layerzero is the cause of the breach. Layerzero’s analysis characterized the incident as a “KelpDAO configuration issue,” specifically highlighting that Kelp’s use of a 1-of-1 decentralized verifier network (DVN) allowed for inadequate security measures. KelpDAO, however, emphasized that this setup is not unique to them; they referenced Dune analytics indicating that 47% of Layerzero’s OApp contracts—over 1,200 applications—employ the same 1-1 DVN configuration deemed secure by Layerzero in the past.
The controversy deepened as KelpDAO pointed out that Layerzero’s own OFT quickstart guide and default templates encouraged the use of the 1-1 setup, leading them to question the provider’s accountability. They revealed screenshots of conversations with Layerzero team members assuring Kelp that these default configurations were safe during multiple integration discussions over two years.
In a detailed response on X, KelpDAO outlined the discrepancies between what Layerzero conceded and what it omitted in its damage assessment. They reported that Layerzero acknowledged unauthorised access to the RPC list used by its DVN and confirmed that two independent nodes were compromised, allowing attackers to swap critical binaries. Moreover, KelpDAO criticized Layerzero for its post-breach ban on 1-1 configurations as an implicit recognition of systemic flaws, highlighting that these same configurations had been suggested in Layerzero’s documentation.
KelpDAO decried Layerzero’s monitoring failures that allowed such a significant breach to go undetected, stating, “The simple truth: LayerZero blamed their users for an issue that was caused by their own infrastructure failure.” They reinforced their argument with findings from independent security reviews that identified vulnerabilities, including a deployment setup that exposed public gateways lacking essential security measures such as Web Application Firewalls (WAF) or IP allowlists. A Chainalysis review further revealed that a low 1-1 RPC quorum default permitted forged messages to be signed without cross-verifying with other nodes.
In light of these revelations and the loss of confidence in Layerzero’s security measures, KelpDAO announced its transition of rsETH from Layerzero’s OFT standard to Chainlink’s Cross-Chain Token (CCT) standard. The organization emphasized the importance of user asset security and expressed trust in Chainlink’s established track record as a secure decentralized oracle network, marking a significant shift in their operational strategy to enhance cross-chain security measures.
