CoinDesk
LayerZero said late Friday U.S. time that it "made a mistake" allowing its own verifier infrastructure to secure high-value crypto assets in a vulnerable configuration, walking back weeks of public finger-pointing at Kelp DAO over a $292 million exploit attributed to North Korean attackers. The company said it "owns" the decision to let a single decentralized verifier network — a 1-of-1 DVN configuration — approve cross-chain transfers, creating a single point of failure that the attackers exploited. "We didn't police what our DVN was securing, which created a risk we simply didn't see," the team wrote in a Friday blog.
Why it matters
Cross-chain bridges have long been among crypto's most attacked pieces of infrastructure, and the admission is unusual for a sector where blame routinely bounces between protocol teams and application developers until legal teams get involved. LayerZero is now moving the entire default configuration floor upward: its DVN will no longer service any 1-of-1 setup, and all pathway defaults are being migrated to 5/5 where possible — and no looser than 3/3 on any chain where only three DVNs are available. The protocol layer itself, LayerZero insists, was not compromised; the entry point was internal RPC infrastructure used by the LayerZero Labs DVN, while external RPC providers were simultaneously hit with distributed denial-of-service attacks.
Market impact
The commercial damage is already showing up in client migration. Kelp has shifted its rsETH bridge to Chainlink's Cross-Chain Interoperability Protocol, and Solv Protocol said this week it is moving more than $700 million in tokenized bitcoin infrastructure away from LayerZero following a fresh security review. On top of the exploit fallout, LayerZero disclosed that three and a half years ago a multisig signer used the team's hardware wallet for a personal trade; the signer has been removed, wallets rotated, and a custom multisig called OneSig has been built to prevent recurrence. With LayerZero's own verifier caught on the wrong side of a $292M loss tied to a state-sponsored group, the bridge-custody market is now openly up for grabs.
Frequently asked questions
-
What did LayerZero actually admit in the $292M Kelp exploit?
LayerZero said it "made a mistake" by allowing its own decentralized verifier network to secure high-value transfers in a 1-of-1 configuration, creating a single point of failure exploited by attackers tied to North Korea.
-
Was the LayerZero protocol itself compromised?
LayerZero said the protocol was not compromised. It attributed the exploit to an attack on internal RPC infrastructure used by the LayerZero Labs DVN, while external RPC providers were hit with simultaneous DDoS attacks.
-
How is LayerZero changing its default configuration after the exploit?
LayerZero's DVN will no longer service any 1-of-1 DVN configuration, and all pathway defaults are being migrated to 5/5 where possible — and no looser than 3/3 on chains where only three DVNs are available.
-
Which clients have moved away from LayerZero since the exploit?
Kelp DAO shifted its rsETH bridge to Chainlink's Cross-Chain Interoperability Protocol, and Solv Protocol is migrating more than $700 million in tokenized bitcoin infrastructure away from LayerZero following a fresh security review.
-
What other security issue did LayerZero disclose alongside the exploit?
LayerZero disclosed that three and a half years ago a multisig signer used the team's hardware wallet for a personal trade. The signer has been removed, wallets rotated, and a custom OneSig multisig has been built to prevent recurrence.
WuBlockchain
WatcherGuru
TheBlock
Crypto Capital Venture
CryptoSlate