KelpDAO has pointed fingers at LayerZero following a $292 million hack and is planning to relaunch its cross-chain system using Chainlink’s protocol, as announced on X this Tuesday.
“The incident on April 18 clearly indicates that the exploit originated from vulnerabilities within LayerZero’s infrastructure, causing $300M in losses throughout DeFi,” stated Kelp DAO on X. “Independent analyses by SEAL 911, Chainalysis, and other top security experts corroborate this finding.”
In April, attackers siphoned approximately 116,500 rsETH—an Ethereum-based staking token—from a cross-chain bridge utilized by Kelp, which facilitates users in staking Ethereum and transferring tokens across blockchains. This exploit is associated with North Korea’s Lazarus Group.
Kelp further elaborated on X that LayerZero personnel had approved the risky configuration leading to the breach without flagging its security flaws. The configuration, known as a 1-of-1 verifier setup, depends on a single entity for validating cross-chain transactions.
According to Kelp, the attack was due to a compromise of LayerZero’s infrastructure where attackers accessed the verifier network’s RPC nodes, coercing the system into relying on manipulated data and allowing fraudulent transactions to pass through.
“Following the exploit, LayerZero declared it would cease signing or verifying messages for any app using a 1-1 DVN configuration,” Kelp noted. “This policy change, enacted after substantial losses, confirms that this was a prevalent setup in LayerZero’s ecosystem only altered post-failure.”
LayerZero, however, contested these claims in an April statement, asserting the exploit was specific to Kelp’s rsETH application due to its deviation from their advocated multi-verifier model.
“That narrative doesn’t align with reality,” countered Kelp DAO. “It is publicly known that this 1-1 configuration wasn’t exclusive to Kelp.”
Kelp emphasized adherence to LayerZero’s documentation and default configurations, asserting the widespread use of similar setups in the ecosystem by referencing data indicating numerous applications employed analogous configurations.
To enhance security, Kelp plans to transition its rsETH system to Chainlink’s cross-chain interoperability protocol, mandating multiple independent validators for transaction approvals instead of a single verifier.
“We are dedicated to collaborating with the KelpDAO team to bolster the cross-chain security of rsETH and facilitate their shift to Chainlink CCIP,” stated Johann Eid, Chainlink Chief Business Officer, in an interview with Decrypt. “Our belief is that DeFi must be supported by robust infrastructure to fully harness its potential for onchain transactions amounting to trillions.”
The repercussions of Kelp’s exploit have reached beyond the technical dispute. Approximately $71 million in crypto associated with the hack was immobilized on the Arbitrum network, sparking a legal battle in a New York federal court.
“There are critical questions within the ecosystem that require answers,” remarked Kelp DAO. “We are committed to ensuring rsETH is supported by infrastructure that addresses these inquiries adequately.”
LayerZero has not yet responded to Decrypt’s request for comment.