In a dramatic reversal, cross-chain messaging protocol LayerZero has acknowledged that it 'made a mistake' in the $292 million exploit that drained funds from Kelp DAO, a liquid restaking protocol. The company, which initially framed the incident as a developer configuration failure on Kelp's part, now says it owns the decision to let its own decentralized verifier network (DVN) secure high-value transfers in a vulnerable setup.
The admission comes after weeks of tension within the crypto community, as LayerZero's initial response drew criticism for deflecting responsibility. The exploit, which took place on May 9, 2023, was the largest the decentralized finance (DeFi) sector had seen that year. North Korean-linked attackers, believed to be affiliated with the Lazarus Group, identified a critical weakness in the bridge's security architecture. By targeting the internal RPC infrastructure used by LayerZero's DVN, they were able to manipulate transaction verification and siphon $292 million worth of assets.
Background: LayerZero's Cross-Chain Architecture
LayerZero is a blockchain interoperability protocol that enables cross-chain communication through a combination of oracles and relayers. It was created to allow decentralized applications (dApps) to send messages and transfer assets across different blockchains without relying on a single trusted intermediary. The protocol uses a system of decentralized verifiers that validate transactions before they are finalized. However, the security of the system depends on how these verifiers are configured and which assets they are allowed to secure.
The Kelp DAO exploit targeted the rsETH bridge, a key component of Kelp's liquid restaking token ecosystem. rsETH is a liquid staking derivative tied to EigenLayer's restaking mechanism. At the time of the attack, LayerZero's verifier network was configured to approve transfers of high-value assets without additional safeguards—a decision LayerZero now admits was a mistake. 'We allowed our own verifier to secure these assets in a setup that was not resilient to the specific attack vector used,' LayerZero CEO Bryan Pellegrino stated in a public post.
Initial Blame and Reversal
In the days following the exploit, LayerZero issued statements indicating that Kelp DAO had failed to properly configure its own security settings. The protocol emphasized that its core infrastructure had not been breached—a point it continues to maintain. Pellegrino initially said, 'LayerZero's protocol was not compromised. The exploit targeted the internal RPC infrastructure used by the DVN, and that infrastructure is the responsibility of the developer.'
However, further investigation revealed that LayerZero had specifically approved the configuration that allowed its verifier to operate without additional cross-checks for high-value transfers. Smart contract audits and post-mortem reports showed that the vulnerability was known internally but had not been mitigated. The company's board and key stakeholders pushed for a more transparent disclosure, leading to the public admission.
'We made a mistake in the governance of our verifier network," Pellegrino said. "We should have required a higher threshold of verification for such large transfers. We own that decision.'
Fallout: Exodus to Chainlink
The immediate consequence of the exploit and LayerZero's shifting narrative has been a mass exodus of major clients to competing infrastructure providers, particularly Chainlink. Kelp DAO announced it would migrate its rsETH bridge to Chainlink's Cross-Chain Interoperability Protocol (CCIP) within weeks of the incident. Solv Protocol, a tokenized bitcoin infrastructure provider, moved more than $700 million in assets away from LayerZero to Chainlink's secure bridge.
According to on-chain data, over $4 billion in total value locked (TVL) has been shifted from LayerZero to Chainlink-based bridges since the exploit was disclosed. 'Trust is the most fragile asset in crypto,' said a spokesperson for Solv Protocol. 'When a protocol that secures hundreds of millions of dollars cannot provide a clear account of its own security lapses, the only rational response is to move to a provider with a proven track record.'
Lombard, another high-profile client that had been using LayerZero to bridge its liquid staking tokens, also announced departure, calling the incident a 'wake-up call' for the entire cross-chain ecosystem. The migration trend highlights the intense competition among interoperability protocols, where security failures can rapidly erode market share.
Industry Reactions and Broader Implications
The crypto community has been divided in its reaction. Some analysts argue that LayerZero's admission is a sign of maturity—a protocol willing to accept responsibility and learn from its mistakes. Others see it as a desperate attempt to stem the bleeding after weeks of stonewalling. The incident has also drawn attention to the broader issue of verifying decentralized infrastructure.
Security experts note that cross-chain bridges remain the most targeted attack surface in DeFi. According to a report by Chainalysis, over $3.5 billion was lost to bridge exploits in 2022 alone. The Kelp attack adds to a long list of high-profile hacks, including the $625 million Ronin bridge exploit and the $320 million Wormhole hack. While LayerZero's technology is considered innovative, the incident proves that even decentralized verification networks are susceptible to social engineering and infrastructure attacks.
Regulatory scrutiny is also likely to increase. The involvement of North Korean hackers—who have been linked to multiple crypto heists used to fund weapons programs—may prompt lawmakers to call for stricter know-your-customer (KYC) and anti-money laundering (AML) procedures for cross-chain protocols.
Technical Details of the Exploit
The attack unfolded through a multi-step process. First, the hackers compromised the RPC endpoints used by LayerZero's decentralized verifier nodes. RPC (Remote Procedure Call) endpoints are the communication channels through which nodes interact with blockchains. By gaining access to these endpoints, the attackers were able to inject false verification confirmations.
Normally, a DVN requires multiple independent verifiers to confirm a transaction. But because LayerZero had configured its own verifier node as the sole authority for high-value Kelp transactions, a single compromised node was enough to approve the fake transfer. The attackers then initiated a cross-chain message that moved $292 million in rsETH from the Ethereum blockchain to a wallet they controlled on another chain. The transaction was irreversible.
LayerZero's post-mortem revealed that the configuration was set months before the exploit, during a period when the team was prioritizing speed over security for certain bridges. 'We were caught in a trap of our own making,' one developer said. 'We built redundancy mechanisms, but we didn't enforce them because we trusted our own node implicitly.'
The Human Factor: Internal Decision-Making
In the weeks that followed, internal sources told reporters that the decision to allow LayerZero's own verifier to secure high-value assets was not made by the engineering team alone. Business development executives had pushed for a streamlined integration process to attract large DeFi clients like Kelp DAO. The speed-to-market tradeoff led to shortcuts in security configurations.
'Everyone signed off on it,' a former employee stated. 'The business side wanted to close deals quickly, and the tech side assumed the verifier would never be compromised. It was a classic failure of internal governance.'
LayerZero has since implemented a new policy requiring at least two independent verifier signatures for transactions exceeding $10 million. It has also open-sourced its verifier infrastructure to allow third-party audits. But for many, the damage to its reputation may be irreversible.
Looking Ahead
The Kelp exploit has reshaped the competitive landscape for cross-chain protocols. Chainlink has gained the most from the exodus, but other players like Axelar, Wormhole, and Celer are also seeing increased interest. LayerZero, which was once valued at over $3 billion, is now fighting to retain its user base.
Analysts predict that the incident will accelerate the adoption of fraud-proof mechanisms and zk-proof verifiers in cross-chain messaging. Some protocols are exploring hybrid models that combine oracles, staking, and optimistic verification to reduce reliance on single points of failure.
For LayerZero, the road to recovery is uncertain. The company has pledged to refund affected users through its insurance fund, but the process is complex and may take months. Meanwhile, the crypto community is watching closely to see whether other protocols will follow LayerZero's lead in admitting fault—or whether they will continue to deflect blame.
Source: Coindesk News