TLDR
- Kelp DAO suffered a $292 million security breach on April 18 through its LayerZero-integrated bridge system
- Attackers extracted 116,500 rsETH tokens, subsequently leveraging them on Aave v3 to secure wrapped Ether loans
- According to Kelp, LayerZero gave approval to the single-verifier configuration that allowed the breach
- LayerZero contests these allegations, asserting Kelp independently switched from multi-DVN to 1-of-1 setup
- The protocol has begun transitioning rsETH to Chainlink’s Cross-Chain Interoperability Protocol (CCIP)
DeFi protocol Kelp DAO experienced a devastating security breach on April 18, resulting in approximately $292 million in losses when malicious actors extracted 116,500 rsETH tokens through its LayerZero-integrated bridge infrastructure.
The stolen tokens served as collateral within Aave v3, enabling the attackers to obtain wrapped Ether loans. Before Kelp could freeze its smart contracts, two additional fraudulent transactions worth over $100 million went through the system.
LayerZero attributed the attack to the Lazarus Group, a notorious North Korean hacking collective. The perpetrators allegedly obtained the roster of RPC nodes utilized by the LayerZero Labs DVN, successfully breached two nodes, and replaced their operational software.
Following this infiltration, the hackers executed a DDoS assault on the uncompromised nodes, redirecting network traffic to the corrupted infrastructure. The hijacked DVN proceeded to validate transactions that had never legitimately taken place.
This security incident has triggered an intense public confrontation between Kelp DAO and LayerZero regarding accountability for the underlying weakness.
The DVN Configuration Dispute
In LayerZero’s April 19 incident analysis, the company stated the breach occurred due to Kelp’s bridge operating with a single decentralized verifier network (DVN) instead of employing multiple independent verifiers. LayerZero characterized this arrangement as running counter to its advised security standards.
Kelp responded forcefully on Tuesday. The protocol published a detailed statement claiming LayerZero staff examined its setup throughout 2.5 years across eight separate integration meetings, with no warnings issued regarding the single-verifier architecture as a potential security concern.
Kelp provided Telegram message screenshots purportedly demonstrating a LayerZero team member reviewing the configuration without raising objections. CoinDesk has been unable to authenticate these screenshots independently.
Kelp referenced Dune Analytics information indicating 47% of approximately 2,665 active LayerZero contracts employed an identical 1-of-1 DVN arrangement during a 90-day period concluding around April 22. These contracts represented more than $4.5 billion in combined market capitalization.
Sujith Somraaj, a security expert with previous LayerZero auditing experience, revealed he had filed a bug bounty submission detailing the identical attack methodology prior to the breach. According to Somraaj, LayerZero dismissed his report.
LayerZero Denies the Claims
LayerZero CEO Bryan Pellegrino responded on X, characterizing numerous claims from Kelp as factually incorrect.
Pellegrino stated Kelp initially deployed the recommended multi-DVN default settings and subsequently modified the configuration manually to establish the 1-of-1 arrangement. He promised a comprehensive incident report from third-party security companies would arrive shortly.
Through an official statement, a LayerZero representative explained the protocol’s default settings across nearly all operational pathways implement multi-DVN architecture. The representative clarified that template instances showing 1-of-1 configurations reference a “DeadDVN” feature designed to block messages, compelling developers to establish proper configurations before production deployment.
LayerZero announced a new policy prohibiting message signing for any application utilizing a 1-of-1 setup, implementing this restriction immediately following the hack.
Kelp maintains its internal team discovered the vulnerability and alerted LayerZero, reversing the company’s narrative.
Kelp has commenced migrating rsETH away from LayerZero’s OFT standard toward Chainlink’s Cross-Chain Token standard through its Cross-Chain Interoperability Protocol. Documentation shows the LayerZero Labs DVN continues as the sole listed attestor on at least two integrated chains, Dinari and Skale.
