Kelp DAO is publicly blaming LayerZero for a $292 million exploit and announced plans to relaunch with a redesigned cross-chain system on Chainlink.
According to Kelp, the attack on April 18 drained approximately 116,500 rsETH from a cross-chain bridge. The incident has been linked to North Korea's Lazarus Group.
Kelp claims LayerZero personnel approved the 1-of-1 verifier configuration used in the exploit and failed to warn about the security risk. The setup relied on a single entity to validate cross-chain transactions, which attackers compromised by breaching LayerZero's infrastructure.
After the hack, LayerZero stated it would no longer sign messages for applications using a single-verifier setup. Kelp argues this policy shift confirms the configuration was widely used and only changed after the failure.
LayerZero disputes the account, calling the exploit isolated to Kelp's use of a single verifier against its recommended multi-verifier model.
Kelp is migrating rsETH to Chainlink's Cross-Chain Interoperability Protocol (CCIP), which requires approval from multiple independent validators. Chainlink's Chief Business Officer, Johann Eid, confirmed support for the migration, stressing the need for highly secure infrastructure in DeFi.
The legal fallout continues: roughly $71 million in frozen crypto linked to the exploit is now the subject of a court battle in New York federal court.