Written by: Yangz, Techub News

In the never-sleeping Web3 world, April 18 was originally just an ordinary day. However, for the liquidity re-staking track and the entire DeFi ecosystem, a "quake" worthy of being recorded in history quietly unfolded on-chain. In less than an hour, hackers (allegedly the Lazarus Group) utilized the Kelp DAO's cross-chain bridge to mint 116,500 rsETH out of thin air, worth approximately 292 million dollars. Considering that rsETH is widely used as collateral, the hackers did not rush to dump it but instead transferred these worthless "air certificates" into mainstream lending protocols like Aave, extracting approximately 236 million dollars in ETH and directly pushing top protocols like Aave into the abyss of bad debts.

This is not the first time a cross-chain bridge has been attacked, but this time it tore open a long-standing wound in the Web3 industry: when there is a vacuum in the handover between underlying infrastructure (protocol layer) and superstructure (application layer), who should pay for the vanished billions in assets?

In the following more than half a month, this crisis performance has turned into a public game about technology, responsibility, and power. From the initial "mutual blame" to the current "proactive acceptance of responsibility" by LayerZero's CEO, this has marked a phased conclusion for this debate on the boundaries of responsibility.

The Deadly "1/1 DVN"

To understand this debate, one must first dissect the hacker's attack method. Interestingly, this attack did not stem from a complicated smart contract vulnerability; the root of the problem lies in a configuration parameter: 1-of-1 DVN.

This so-called DVN, or decentralized validator network, is the component responsible for validating cross-chain messages in the LayerZero V2 architecture. A 1-of-1 configuration means that as long as one validator signs, the cross-chain message is considered valid and executed. Worse, the operation rights for this "key" are not fully in Kelp's hands but rely on the underlying RPC nodes. The hacker poisoned the RPC node in coordination with a DDoS attack, hijacked the only validator node, and fed it false "source chain destruction records." The validator believed it and signed, leading to this large amount of assets being created out of thin air.

So, the key question is: who should bear the blame for this "1/1 DVN" issue?

Blame-shifting: The Collision of Two Logics

In the initial period following the attack, public opinion was originally tilted towards LayerZero. Social media was filled with scornful jibes at Kelp DAO: as a top protocol managing hundreds of millions of dollars, it was almost unforgivable to use a "paperlock" like 1/1 single validator.

However, when Kelp presented its "official manual" on April 21, a dramatic reversal of public opinion occurred. Kelp's core argument was a single statement: if the official documentation and default configurations themselves are dangerous, then the responsibility lies with the party that wrote the documentation and set the defaults. This is not a user configuration error, but a "guiding defect" of the product itself. Although LayerZero's CEO Bryan Pellegrino repeatedly stressed in response to doubts that this is a choice of the application layer, not a vulnerability of the protocol layer, the focus of blame began to shift from Kelp's "execution incompetence" to LayerZero's "systemic arrogance"—knowing that the default configuration carries risks yet still presenting it as a standard example for quick onboarding.

Additionally, the voices of third-party developers further amplified the controversy. Yearn core developer banteg discovered through a technical review that LayerZero V2's quick start guide used this dangerous single-source verification as the default setting on Ethereum, BNB Chain, Polygon, Arbitrum, and Optimism. The criticism from Chainlink community leader Zach Rynes was even more biting: he accused LayerZero of using users who follow its official guidance as "scapegoats" to cover up the vulnerability of its own infrastructure in the face of a top-tier hacker attack.

So, who is right and who is wrong? In fact, neither is entirely right nor entirely wrong. The essence of this debate is a collision of two logics. One is the "geek ethics": tools are neutral, and users should be responsible for their choices. The other is the "safe default principle": the factory settings of a product should be at the highest level of safety. Users may choose to lower the threshold for convenience, but the product should not guide users into danger.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。