Loading prices…
🩸BEARISH

Kelp DAO disputes LayerZero rsETH exploit postmortem

If Kelp's Telegram screenshots hold, the $292M loss wasn't Kelp's misconfiguration — it was a verifier design LayerZero reviewed for 2.5 years, then blamed on the victim after Lazarus drained the…

Kelp DAO has publicly contradicted LayerZero's postmortem of the $292 million rsETH bridge exploit, publishing a memo titled "Setting the Record Straight Around the LayerZero Bridge Hack" that includes Telegram screenshots purporting to show LayerZero personnel approving the 1-of-1 verifier configuration LayerZero later cited as the application-level cause of the hack. The exploit, which LayerZero has attributed to North Korea's Lazarus Group, drained 116,500 rsETH — roughly $292 million — on April 18, and two additional forged transactions worth more than $100 million were signed and processed by the LayerZero Labs DVN before Kelp paused its contracts.

Why it matters

The dispute turns on who owned the 1-of-1 setup. LayerZero's April 19 postmortem said Kelp's rsETH application relied on LayerZero Labs as its sole verifier and that the arrangement "directly contradicts" LayerZero's recommended multi-DVN model. Kelp's memo pushes back hard: the protocol says LayerZero personnel reviewed its configurations for over 2.5 years across eight integration discussions without flagging the setup as a material risk, and one screenshot shows a LayerZero team member writing that using the default DVN setup was "no problem," with Kelp arguing the "defaults" referenced were precisely the 1-of-1 configuration later blamed.

The memo also cites Spearbit security researcher Sujith Somraaj, a prior LayerZero auditor, who said on X that he had filed a bug bounty report describing the same attack pattern and been told it was "not a vuln." LayerZero's Immunefi bug bounty scope excludes "impacts to OApps themselves as a result of their own misconfiguration," and its OFT Quickstart templates show LayerZero Labs as the required DVN with no optional DVN set — evidence, Kelp argues, that the protocol treated the single-DVN path as the supported default rather than a user error.

Market impact

Dune Analytics data cited by CoinGecko put roughly 47% of LayerZero's ~2,665 active OApp contracts on a 1-of-1 DVN configuration over the 90 days ending around April 22, with more than $4.5 billion in associated market value exposed to the same class of risk.

Related tokens
$ETH

Frequently asked questions

  1. What is the $292M Kelp DAO exploit and who is blamed for it?

    On April 18, attackers drained 116,500 rsETH — worth roughly $292 million — from Kelp's LayerZero-powered bridge. LayerZero attributed the attack to North Korea's Lazarus Group, saying they compromised two RPC nodes used by the LayerZero Labs DVN and swapped out the binaries running on them before exploiting failover.

  2. Why is Kelp disputing LayerZero's postmortem?

    LayerZero's April 19 postmortem said Kelp's rsETH application relied on LayerZero Labs as its sole verifier and that the setup "directly contradicts" LayerZero's recommended multi-DVN model. Kelp's memo counters that LayerZero personnel reviewed its configurations for over 2.5 years across eight integration…

  3. What evidence did Kelp publish to support its claim?

    Kelp's memo includes Telegram screenshots showing a LayerZero team member saying using the default DVN setup was "no problem." CoinDesk said it could not independently authenticate the screenshots. Kelp also cites LayerZero's Immunefi bug bounty scope, OFT Quickstart templates, and an X post from Spearbit researcher…

  4. How many LayerZero applications were exposed to the same risk?

    Dune Analytics data cited by CoinGecko showed roughly 47% of about 2,665 active LayerZero OApp contracts ran a 1-of-1 DVN configuration over the 90 days ending around April 22, with more than $4.5 billion in associated market value exposed to the same class of risk.

  5. What is Kelp doing in response to the hack?

    Kelp is migrating rsETH off LayerZero's OFT standard to Chainlink's Cross-Chain Interoperability Protocol. LayerZero, for its part, has banned the 1-of-1 DVN setup and said it will no longer sign messages for any application running one — a policy change that took effect only after the exploit.

Source attribution
Aggregated from CoinDesk · Verified · Last refreshed 65d ago
Open original →