Crypto News

LayerZero admits mistake in $292 million Kelp hack, reversing weeks of blame

By Telemac

Share

LayerZero admits mistake in $292 million Kelp hack, reversing weeks of blame

LayerZero reversed its position on Friday, May 9, 2026, publicly acknowledging that it made a mistake that allowed the theft of $292 million in rsETH from Kelp DAO. After weeks of pointing fingers at Kelp DAO, the cross-chain infrastructure firm admitted full responsibility, marking a turning point in one of the year’s largest DeFi security breaches and raising fundamental questions about the distribution of accountability in the cross-chain bridge ecosystem.

Background

On April 18, 2026, the Kelp DAO liquid restaking protocol fell victim to an attack of unprecedented scale in the decentralized finance sector. Within a few hours, 116,500 rsETH — worth approximately $292 million at the going rate — were drained from the cross-chain bridge powered by LayerZero infrastructure. The attack, formally attributed to the Lazarus Group backed by Pyongyang, exploited a flaw in the technical configuration of the decentralized verifier network, more commonly known as the « 1-of-1 DVN » configuration.

For several weeks, LayerZero maintained a defensive stance, asserting that Kelp DAO itself had chosen this risky configuration in direct contradiction of the protocol’s official recommendations. The company published a detailed postmortem presenting what it described as a configuration error on Kelp DAO’s side, attributing responsibility to the application rather than its own infrastructure.

Kelp DAO did not accept this version of events. The restaking protocol immediately challenged the analysis, producing screenshots and documentary evidence showing that the problematic setup had been validated by LayerZero’s own teams during eight integration meetings covering approximately two and a half years of collaboration. One exchange shown as evidence indicates that a LayerZero team member had even written: « No problem either on using the defaults — just tagging [redacted] here since he mentioned you might want to use a custom DVN setup for verifying messages, but we will leave that to your team! »

The Facts

LayerZero’s new position, officially published on May 9, represents a complete reversal. The company now explicitly acknowledges making a strategic error by allowing its own DVN to operate as the sole verifier for high-value transactions. « First things first: an overdue apology. We made a mistake by allowing our DVN to act as a 1/1 DVN for high-value transactions. We did not police what our DVN was securing, which created a risk we simply did not see. We own that, » the company’s official statement reads.

The Lazarus Group, a state-sponsored cybercrime actor, deployed a multi-stage attack strategy. First, the attackers compromised the internal RPC nodes of the DVN operated by LayerZero Labs. Simultaneously, they launched distributed denial-of-service attacks against external RPC providers, creating the perfect exploitation window. This dual technical offensive made it possible to falsify a cross-chain message attestation — the famous « PacketSent event » — that had never been emitted by the legitimate contract on the Unichain blockchain.

Once the fraudulent message was validated by LayerZero’s compromised DVN, Kelp’s OFT Adapter contract on Ethereum released the 116,500 rsETH to the attacker-controlled wallet. The attacker then immediately supplied these unsecured rsETH tokens as collateral on Aave V3, borrowing approximately $266 million in ETH against these fictitious assets.

The cascading consequences proved devastating for the entire DeFi ecosystem. Aave, the world’s most widely used decentralized lending protocol, saw its total value locked drop by approximately $6.6 billion within 24 hours. The WETH utilization rate on Aave reached 100 percent, meaning no user could borrow against this asset. To date, the protocol remains burdened with approximately $196 million in unsecured WETH liabilities, the result of collateral provided to an attacker who never owned the corresponding funds.

In a related but separate development, a Manhattan federal judge authorized Aave on May 9 to transfer $71 million in frozen ETH on Arbitrum to a wallet controlled by Aave LLC, while preserving the legal claim of North Korean terrorism victims on these funds. This ruling opens the path to partial recovery but suggests years of legal proceedings ahead involving the DeFi protocol, state-sponsored North Korean intelligence actors, and the American judicial system.

Solv Protocol, another major ecosystem player, decided to react swiftly by migrating more than $700 million in tokenized bitcoin infrastructure away from LayerZero to alternative solutions. Kelp DAO, for its part, executed its own strategic migration to Chainlink’s CCIP protocol, permanently abandoning the infrastructure that had betrayed it.

Analysis

This case raises questions that far exceed the simple commercial dispute between two blockchain actors. The distribution of responsibility for security in the DeFi ecosystem remains a largely unmapped legal and conceptual territory. When a protocol like LayerZero provides infrastructure that allows a DVN to approve large-value transfers in a single point of failure configuration, where exactly does responsibility lie?

The security research group SigIntZero published a detailed technical analysis of the incident, describing the compromised configuration as a « cyberpunk vault door breached with a single compromised lock — the LayerZero 1-of-1 DVN that let $292 million leave Kelp DAO. » This metaphor illuminates the core problem: a system’s security can never rest on a single point of failure, even when that point is operated by a reputable firm.

Hypernative, another blockchain security firm, formulated an even more precise analysis of the attack mechanism. In their report, researchers described the incident as an « observation-layer exploitation »: LayerZero Labs’ DVN signed a payload hash for a PacketSent event claimed to have been emitted by the legitimate rsETH OFT contract on Unichain, when this event had never been produced by any valid transaction on that blockchain.

Industry experts are also drawing attention to the limitations of prevailing security audit methodologies. As noted in the analysis published by WEEX, « from the perspective of the current audit paradigm, there is no tool capable of detecting whether the DVN threshold is therapeutically reasonable. » Static analysis tools and traditional code audits simply do not cover this type of configuration risk. To detect this kind of vulnerability, what is needed is not code analyzers but specialized checklists verifying parameters such as the minimum number of DVNs for a given cross-chain protocol.

This incident also represents a wake-up call regarding the philosophical debate on the nature of digital trust. In an environment where billions of dollars can be moved based on a single software configuration, transparency about architectural choices becomes an ethical as much as a technical imperative. DeFi protocol users deserve to know precisely the security assumptions on which the protection of their funds depends.

Market Reactions

The market response to this crisis was both rapid and profound. LayerZero’s native token, ZRO, experienced significant volatility in the days following the hack revelation, as investors reassessed the company’s risk profile after this admission of responsibility. Major cryptocurrency exchanges closely monitored the situation’s evolution, some even temporarily suspending deposits of tokens linked to the LayerZero ecosystem.

Chainlink emerged as the primary beneficiary of this trust crisis. The decentralized oracle protocol captured several major bridges deserted by LayerZero, including Kelp DAO’s rsETH bridge. This migration represents a strategic turning point for Chainlink, which is increasingly positioning its CCIP protocol as the reference solution for institutional cross-chain transfers.

Established DeFi developers were forced to urgently review their security configurations. Industry consensus is shifting toward robust multi-signature configurations rather than single points of failure. Projects using cross-chain bridges are now thinking twice before implementing anything other than multi-DVN setups.

American regulators have also been following the case closely. The $292 million hack, combined with other major exploits in 2026, is fueling the ongoing legislative debate on the digital asset regulatory framework. The Senate Banking Committee, set to meet on May 14 to review the Digital Asset Market Clarity Act, could be influenced by these repeated security incidents.

Outlook

LayerZero Labs announced a major corrective package to restore ecosystem confidence. Henceforth, the DVN operated by LayerZero Labs will no longer service 1/1 configurations for any application whatsoever. All default protocol parameters will migrate to a 5/5 configuration wherever possible, with an absolute minimum threshold of 3/3 on all chains where only three DVNs are available.

This massive transition could take several months and will require significant coordination across the DeFi ecosystem. Every developer using LayerZero will need to review and update their security configurations before any production deployment. Technical teams will also need to train their staff on new parameter settings and the implications of these architectural changes.

The industry’s creation of OneSig, LayerZero’s new custom multi-signature solution developed in response to the incident, illustrates a late but real awakening regarding key management deficiencies. The industry as a whole must collectively learn the lessons of this episode. Infrastructure protocols must assume greater responsibility in validating the configurations they recommend or make available by default.

For investors and protocols using cross-chain bridges, this affair serves as a powerful reminder that fund security depends not only on the robustness of smart contract code but also and especially on the configuration of verification infrastructure. Security audits must from now on incorporate specialized checklists for DVN configuration parameters, and development teams must demonstrate a thorough understanding of the implications of each architectural decision.

In the medium term, this crisis could accelerate the emergence of industry-wide standards for cross-chain security. The question of infrastructure providers’ liability in the DeFi ecosystem remains largely open, and the legal proceedings arising from this case could establish significant precedents for the entire sector.

Sources

Telemac
Telemachttp://cryptoinfo.ch

Contenu [hide]

Lire la Suite

Articles