KelpDAO blames cross-chain protocol LayerZero for a $292 million exploit in April and plans to redesign its system using Chainlink. The protocol claims LayerZero approved the insecure setup that was breached, an allegation LayerZero disputes. The incident has also sparked a U.S. court battle over $71 million in frozen funds linked to the attack, which security firms have connected to North Korea’s Lazarus Group.
KelpDAO is publicly attributing a $292 million exploit to infrastructure from cross-chain protocol LayerZero and announced a migration to Chainlink. The protocol stated that independent reports from SEAL 911 and Chainalysis point to the same origin for the April attack, which drained about 116,500 rsETH tokens.
In a post, Kelp said LayerZero personnel approved the specific configuration tied to the hack. The setup, known as a 1-of-1 verifier, relies on a single entity to validate cross-chain transactions.
Kelp asserts the attack stemmed from a breach of LayerZero’s infrastructure where attackers compromised verifier network nodes. This allowed tampered data to force the approval of fraudulent transactions across the bridge.
LayerZero disputed this account in an April statement, calling the exploit isolated to Kelp’s rsETH application. The company said the incident resulted from Kelp’s use of a single-verifier setup against its recommended multi-verifier model.
Kelp countered that the 1-of-1 setup was not unique and followed LayerZero’s own documentation. The protocol cited data showing a large share of applications relied on similar configurations before the policy changed post-exploit.
The protocol is now moving its rsETH system to Chainlink’s cross-chain interoperability protocol. “We’re committed to working with the KelpDAO team on improving the cross-chain security of rsETH and supporting their migration to Chainlink CCIP,” Chainlink Chief Business Officer Johann Eid stated.
Approximately $71 million in crypto linked to the exploit was frozen on the Arbitrum network. This freeze has triggered a legal fight in a New York federal court that could influence DeFi recovery rules.
“There are questions that the ecosystem deserves answers to,” KelpDAO wrote. The protocol added it is ensuring rsETH is secured by infrastructure that does not leave these questions open.
