Kelp DAO claims that LayerZero personnel permitted the 1-of-1 verifier setup, a choice LayerZero has since cited as the rationale a North Korea-linked attacker drained roughly $292 million from Kelp’s rsETH bridge.
The declare runs counter to LayerZero’s April 19 postmortemwhich stated Kelp’s rsETH software relied on LayerZero Labs as its sole verifier and that the setup “instantly contradicts” LayerZero’s beneficial multi-DVN mannequin.
Kelp’s memo says LayerZero personnel reviewed its configurations for over 2.5 years and in eight integration discussions, with out warning {that a} 1-of-1 setup posed a fabric safety danger.
The memo, titled “Setting the Document Straight Across the LayerZero Bridge Hack,” consists of screenshots of Telegram exchanges that doc LayerZero’s consciousness and lack of objection to Kelp’s verifier setup.
One screenshot reveals a LayerZero group member saying: “No downside on utilizing defaults both — simply tagging (redacted) right here since he talked about you’ll have wished to make use of a customized DVN setup for verifying messages, however will depart that to your group!” Kelp says the “defaults” referenced within the trade have been the 1-of-1 LayerZero Labs DVN configuration later cited by LayerZero because the application-level setup that enabled the exploit.
CoinDesk couldn’t independently authenticate the screenshot.
LayerZero’s templates
Kelp additionally factors to LayerZero’s bug bounty scope, OFT Quickstart and developer examples as proof that LayerZero handled verifier-network selections as application-level configuration whereas exhibiting builders a one-DVN setup.
LayerZero’s published bug bounty scope on Immunefi excludes from rewards “impacts to OApps themselves because of their very own misconfiguration,” together with verifier networks and executors.
The LayerZero OFT Quickstart and the official OFT example configuration on GitHub present LayerZero Labs because the required DVN, with no elective DVN set.
Kelp’s memo cites an April 19 post from Spearbit safety researcher Sujith Somraaj, during which Somraaj stated he had submitted a bug bounty report describing the identical assault sample and that LayerZero rejected it.
“My bug bounty: not a vuln, requires all DVNs,” Somraaj wrote on X. “Their deployment: removes the ‘all’ half. Hackers: collects $295M bounty as a substitute.” Somraaj is a previous LayerZero auditor, in response to his Cantina profile.
Kelp strikes to Chainlink
Kelp additionally stated it’s transferring rsETH off LayerZero to Chainlink’s Cross-Chain Interoperability Protocol. The shift strikes rsETH from LayerZero’s OFT normal to Chainlink’s Cross-Chain Token normal.
The exploit drained 116,500 rsETH, value roughly $292 million, from Kelp’s LayerZero-powered bridge. Two extra cast transactions totaling greater than $100 million have been signed and processed by the LayerZero Labs DVN earlier than Kelp paused its contracts, the protocol stated.
LayerZero stated attackers are possible linked to North Korea’s Lazarus Group, who accessed the record of RPCs utilized by the LayerZero Labs DVN, compromised two RPC nodes and swapped out the binaries operating on them.
The attackers then launched a DDoS assault in opposition to uncompromised RPC nodes, forcing a failover to the poisoned ones. LayerZero stated the DVN then confirmed transactions that had not occurred.
Kelp argues the 1-of-1 setup was widespread. CoinGecko, citing Dune Analytics knowledge, stated 47% of roughly 2,665 energetic LayerZero OApp contracts ran a 1-of-1 DVN configuration over a 90-day interval ending round April 22, with greater than $4.5 billion in related market worth uncovered to the identical class of danger.
LayerZero’s postmortem stated the protocol “functioned precisely as meant.” The corporate stated it will not signal messages for any software operating a 1-of-1 configuration, a coverage change that took impact after the hack.
Kelp alleges that its group needed to flag the exploit to LayerZero quite than the opposite method round, elevating questions on LayerZero’s monitoring.
The memo additionally alleges substantial overlap in addresses granted ADMIN_ROLE on each the LayerZero Labs DVN and the Nethermind DVN, itemizing ten on April 8, 2026 and 5 extra on February 6, 2025. CoinDesk has not independently verified the onchain declare.
LayerZero didn’t reply to a request for remark by publication.
On not less than two built-in chains, Dinari and Skale, the LayerZero Labs DVN remains to be listed as the one out there attestor, in response to the documentation.
