In a contentious assertion, Kelp DAO has accused LayerZero personnel of approving a verifier setup that led to a significant security breach, resulting in a North Korea-linked attacker siphoning roughly $292 million from the rsETH bridge. This claim contradicts LayerZero’s April 19 postmortem, which criticized Kelp’s reliance on LayerZero Labs as its sole verifier, stating it went against their suggested multi-DVN model.
Kelp’s report, titled ‘Setting the Record Straight Around the LayerZero Bridge Hack,’ asserts that over the span of more than two years and through eight integration meetings, LayerZero reviewed Kelp’s configurations without indicating any material risks associated with a 1-of-1 setup. The memo includes Telegram screenshots showing LayerZero’s awareness and tacit approval of Kelp’s verifier configuration.
One screenshot reveals a LayerZero team member stating: ‘No problem on using defaults either — just tagging [redacted] here since he mentioned you may have wanted to use a custom DVN setup for verifying messages, but will leave that to your team!’ The memo claims these “defaults” referred to the 1-of-1 LayerZero Labs DVN configuration later blamed by LayerZero for facilitating the exploit. CoinDesk could not confirm the authenticity of this screenshot.
Kelp further highlights LayerZero’s bug bounty scope on Immunefi, which excludes misconfigurations from rewards. The OFT Quickstart and GitHub examples show LayerZero Labs as a compulsory DVN, suggesting verifier-network decisions were treated as application-level configurations. Kelp also references a report by Sujith Somraaj of Spearbit, who had previously flagged the same vulnerability but was rejected under LayerZero’s bug bounty policy.
The DAO now plans to transition rsETH from LayerZero to Chainlink’s Cross-Chain Interoperability Protocol, shifting from OFT to Cross-Chain Token standards. The attack involved draining 116,500 rsETH and processing over $100 million in fraudulent transactions before Kelp paused its contracts.
LayerZero attributes the breach to North Korea’s Lazarus Group, who manipulated RPC nodes after compromising two of them and launching a DDoS attack on others. This led to confirmations by the compromised DVN for nonexistent transactions.
Kelp highlights that 47% of about 2,665 LayerZero OApp contracts used a similar 1-of-1 setup, exposing significant market value to risk, as per CoinGecko and Dune Analytics data. Despite asserting their protocol operated correctly, LayerZero has since banned message signing for any application using such configurations.
Kelp raises concerns about the necessity of alerting LayerZero to the exploit rather than vice versa, questioning the effectiveness of LayerZero’s monitoring. The memo also points out overlapping addresses with ADMIN_ROLE in both the LayerZero Labs and Nethermind DVNs at specific dates. CoinDesk has not independently verified these claims.
LayerZero declined to comment on the matter before publication. Documentation for chains like Dinari and Skale still lists LayerZero Labs as the only available attestor.