KelpDAO is blaming LayerZero for a $292 million exploit and plans to relaunch with a redesigned cross-chain system on Chainlink, the group announced on X on Tuesday.

“From the April 18 incident, it is clear that LayerZero's own infrastructure was exploited, resulting in $300M in losses across DeFi,” Kelp DAO wrote on X. “Independent reports from SEAL 911, Chainalysis, and other major leading security researchers all point to the same origin.”

In April, an attack drained about 116,500 rsETH—an Ethereum-based staking token—from a cross-chain bridge used by Kelp, a protocol that lets users stake Ethereum and move tokens between blockchains. The exploit has been linked to North Korea’s Lazarus Group.

In a separate post on X, Kelp said LayerZero personnel approved the configuration tied to the exploit and did not warn that it posed a security risk. The setup, known as a 1-of-1 verifier, relies on a single entity to validate cross-chain transactions.

Kelp said the attack stemmed from a breach of LayerZero’s infrastructure, where attackers compromised the verifier network’s RPC nodes and forced the system to rely on tampered data, allowing fake transactions to be approved.



“After the exploit, LayerZero announced it would no longer sign or attest messages for any application using a 1-1 DVN configuration,” Kelp wrote. “That policy shift, made after hundreds of millions of dollars were exploited, confirms that this was a widely used LayerZero configuration that LayerZero Labs only changed after it failed.”

In an April statement, LayerZero disputed that account, saying the exploit was isolated to Kelp’s rsETH application and resulted from its use of a single-verifier setup that went against the company’s recommended multi-verifier model.

“That framing does not match the facts,” Kelp DAO wrote. “It is a matter of public domain that this 1-1 setup was not unique to Kelp.”

According to Kelp, it followed LayerZero’s documentation and default configurations. The company also said the setup was widely used across the ecosystem, pointing to data showing a large share of applications relied on similar configurations.

Kelp said it is moving its rsETH system to Chainlink’s cross-chain interoperability protocol, where transactions must be approved by multiple independent validators instead of a single verifier.

"We're committed to working with the KelpDAO team on improving the cross-chain security of rsETH and supporting their migration to Chainlink CCIP," Chainlink Chief Business Officer Johann Eid told Decrypt. "We have long believed that in order for DeFi to reach its full potential of bringing trillions onchain, the ecosystem needs to be underpinned by highly secure infrastructure."

The impact of the exploit of Kelp has extended beyond the technical dispute. About $71 million in crypto linked to the exploit was frozen on the Arbitrum network, triggering a legal fight in a New York federal court.

“There are questions that the ecosystem deserves answers to,” Kelp DAO wrote. “And we are ensuring rsETH is secured by infrastructure that doesn't leave these questions open.”

LayerZero did not immediately respond to a request for comment by Decrypt.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。