TLDR
- A $292 million security breach hit Kelp DAO on April 18 through its LayerZero-integrated bridge infrastructure
- Attackers extracted 116,500 rsETH tokens and leveraged them as collateral on Aave v3 to obtain wrapped Ether
- Kelp DAO maintains that LayerZero authorized the single-verifier configuration that facilitated the attack
- LayerZero refutes these allegations, asserting Kelp independently switched from a multi-DVN to a 1-of-1 setup
- The protocol is now transitioning rsETH to Chainlink’s Cross-Chain Interoperability Protocol (CCIP)
A devastating security breach struck DeFi protocol Kelp DAO on April 18, resulting in the loss of approximately $292 million when malicious actors siphoned 116,500 rsETH tokens through its LayerZero-integrated bridge.
Following the initial theft, the perpetrators deployed the stolen tokens as collateral on Aave v3 to secure loans in wrapped Ether. Before Kelp could freeze its smart contracts, the hackers successfully executed two additional fraudulent transactions worth over $100 million combined.
LayerZero attributed the attack to North Korea’s notorious Lazarus Group. According to reports, the threat actors obtained access to the RPC node list utilized by the LayerZero Labs DVN, successfully infiltrated two nodes, and replaced their operational software.
The attackers subsequently initiated a distributed denial-of-service (DDoS) assault on the remaining legitimate nodes, redirecting network traffic to the compromised infrastructure. The hijacked DVN then validated fraudulent transactions that never actually took place on the blockchain.
The incident has ignited a heated public exchange between Kelp DAO and LayerZero regarding accountability for the security weakness.
The DVN Configuration Dispute
In LayerZero’s April 19 incident analysis, the company stated the breach occurred because Kelp’s bridge operated with a single decentralized verifier network (DVN) instead of multiple independent verifiers. LayerZero characterized this as a configuration that “directly contradicts” its security recommendations.
Kelp DAO responded forcefully on Tuesday, publishing a detailed memorandum asserting that LayerZero staff examined its configuration throughout 2.5 years spanning eight separate integration reviews, never once identifying the single-verifier arrangement as a potential security vulnerability.
Kelp provided screenshots of alleged Telegram conversations purportedly showing a LayerZero team member reviewing the configuration without raising concerns. CoinDesk was unable to independently authenticate these screenshots.
Kelp DAO further referenced Dune Analytics intelligence indicating that 47% of approximately 2,665 active LayerZero smart contracts employed the identical 1-of-1 DVN configuration during a 90-day period concluding around April 22. These contracts collectively represented over $4.5 billion in associated market capitalization.
Security analyst Sujith Somraaj, who previously conducted audits for LayerZero, revealed he had filed a bug bounty submission detailing this exact attack vector prior to the exploit. According to Somraaj, LayerZero dismissed his report.
LayerZero Denies the Claims
LayerZero CEO Bryan Pellegrino responded on X, characterizing many of Kelp’s assertions as “just completely untrue.”
Pellegrino stated that Kelp DAO initially implemented the recommended multi-DVN default configuration and subsequently modified it manually to a 1-of-1 setup. He indicated that a comprehensive incident report from independent security firms would be released imminently.
In an official statement, a LayerZero representative clarified that protocol defaults across nearly all pathways utilize multi-DVN configurations. The representative explained that where 1-of-1 appears in development templates, it references a “DeadDVN” that blocks messages and requires developers to establish proper configuration before deployment.
LayerZero also declared it would discontinue message signing for any application operating with a 1-of-1 configuration, a policy implemented immediately following the security incident.
Kelp DAO contends that its internal team discovered and reported the vulnerability to LayerZero, contradicting any suggestion that LayerZero identified the issue first.
Kelp DAO is currently transitioning rsETH from LayerZero’s OFT standard to Chainlink’s Cross-Chain Token standard through its Cross-Chain Interoperability Protocol. Documentation indicates that on at least two integrated blockchains, Dinari and Skale, the LayerZero Labs DVN continues to serve as the sole listed attestor.
