LayerZero has admitted it made a mistake by allowing its own verification infrastructure to secure high-value crypto assets in a vulnerable setup, a significant reversal after weeks of blaming Kelp DAO for a $292 million hack tied to North Korean attackers.
In a blog post on Friday, LayerZero issued an overdue apology, acknowledging that it permitted a single decentralized verifier network (DVN) to approve cross-chain transfers for high-value transactions, creating a single point of failure. The company said it will no longer service such 1/1 DVN configurations, migrating defaults to 5/5 where possible and no less than 3/3.
The company maintained that its underlying protocol was not compromised, attributing the exploit to an attack on internal RPC infrastructure while external RPC providers faced denial-of-service attacks. LayerZero also disclosed that one of its multisig signers had used their hardware wallet for a personal trade, leading to the removal of that signer and the rollout of new security measures including a custom-built multisig called OneSig.
Competitors like Chainlink are capitalizing on the fallout. Kelp has already moved its rsETH bridge to Chainlink's CCIP, and Solv Protocol is migrating over $700 million in tokenized bitcoin infrastructure away from LayerZero.