The $292 million Kelp DAO bridge exploit that rocked decentralized finance in April is now the subject of a public blame war — and the fallout is reshaping how DeFi protocols think about cross-chain infrastructure.
At the center of the dispute is a deceptively simple question: who approved the 1-of-1 DVN (Decentralized Verifier Network) setup that made Kelp’s rsETH bridge vulnerable? Kelp DAO says LayerZero personnel signed off on it. LayerZero says Kelp made that call on its own, against LayerZero’s recommended security model.
Both sides have documents to support their position. Neither side has budged.
The Setup That Failed
The rsETH bridge ran on LayerZero’s OFT (Omnichain Fungible Token) standard. In a secure deployment, OFT bridges use multiple verifiers — a multi-DVN model — so that no single point of failure can approve fraudulent cross-chain messages. Kelp’s implementation used only a single verifier: LayerZero Labs itself.
When North Korea’s Lazarus Group exploited the bridge on April 18, they targeted that single-point architecture. By compromising the lone verifier, attackers were able to approve the movement of unbacked rsETH tokens across 20 different chains, draining approximately $292 million in the process.
Kelp’s Case: LayerZero Knew and Said Nothing
Kelp DAO released a detailed memo titled “Setting the Record Straight Around the LayerZero Bridge Hack” that includes screenshots of Telegram conversations with LayerZero personnel stretching back 2.5 years.
The screenshots — which CoinDesk could not independently authenticate — show LayerZero team members engaging with Kelp’s configuration choices without flagging the 1-of-1 setup as dangerous.
One message shows a LayerZero team member writing: “No problem on using defaults either — just tagging [redacted] here since he mentioned you may have wanted to use a custom DVN setup for verifying messages, but will leave that to your team!”
Kelp argues that LayerZero’s “defaults” referenced in those conversations were precisely the 1-of-1 configuration later cited by LayerZero as the root cause of the exploit.
Kelp also points to LayerZero’s own developer documentation — including OFT Quickstart guides and bug bounty scope language — as evidence that LayerZero treated verifier choices as an application-level decision while modeling single-DVN setups in its examples.
LayerZero’s Defense
LayerZero’s April 19 postmortem was blunt: Kelp’s rsETH relied on LayerZero Labs as its sole verifier, and that setup “directly contradicts” LayerZero’s recommended multi-DVN model.
LayerZero’s published bug bounty scope explicitly excludes from rewards “impacts to OApps themselves as a result of their own misconfiguration,” naming verifier networks and executors as examples of developer-controlled settings.
The company has not publicly responded to Kelp’s specific claims about the Telegram conversations.
The Industry Response: Migrate to Chainlink
Whatever the ultimate legal and reputational verdict, DeFi protocols are not waiting around for the dispute to resolve. Kelp DAO has already migrated its rsETH bridge off LayerZero’s OFT standard to Chainlink’s CCIP (Cross-Chain Interoperability Protocol).
Solv Protocol and other DeFi projects followed, citing the exploit as evidence that third-party bridge and oracle setups with single points of failure represent unacceptable risk.
The migration signals a broader shift: DeFi’s cross-chain infrastructure moment is happening in real time, with Chainlink emerging as the default alternative for protocols prioritizing security over speed-to-market.
Lessons for Cross-Chain Security
The $292 million loss generated serious analysis from security researchers. The core lesson is not subtle: multi-DVN setups are not optional for bridges handling significant value. The convenience of defaulting to a single verifier — especially if that verifier is also the infrastructure provider — creates a catastrophic conflict of interest.
The exploit also reinforced the need for independent security audits that specifically test verifier configurations, not just smart contract logic. Traditional audits often focus on code correctness; the Kelp hack was an architectural failure, not a bug.
For the DeFi sector, the message is clear: every bridge has a trust model, and that trust model needs to be interrogated with the same rigor as the code itself.
FAQ
Q: What caused the Kelp DAO $292 million exploit?
A: The bridge used a 1-of-1 DVN setup on LayerZero — a single verifier controlled by LayerZero Labs. North Korea’s Lazarus Group exploited this single point of failure to approve fraudulent cross-chain transactions.
Q: Who is responsible — Kelp DAO or LayerZero?
A: Both parties are disputing responsibility. Kelp claims LayerZero personnel approved the insecure setup over 2.5 years of discussions. LayerZero says Kelp chose the setup against their recommendations. No legal resolution has been reached.
Q: What is Chainlink CCIP, and why are protocols migrating to it?
A: Chainlink’s Cross-Chain Interoperability Protocol (CCIP) provides a multi-verifier cross-chain messaging infrastructure that eliminates single points of failure. Post-exploit, multiple DeFi protocols have migrated to CCIP as a more secure alternative to LayerZero’s OFT standard.
