Three weeks after North Korean hackers drained $292 million from Kelp DAO’s rsETH bridge, both parties are fighting publicly over who bears responsibility — and the paper trail is getting messy.
Published Monday, Kelp DAO’s document titled “Setting the Record Straight Around the LayerZero Bridge Hack” includes screenshots of internal Telegram exchanges that it says prove LayerZero personnel knew about and implicitly approved the vulnerable 1-of-1 verifier configuration that made the exploit possible.
On April 19, LayerZero issued its own postmortem, maintaining that Kelp made a security mistake by deviating from its recommended multi-DVN (Decentralized Verifier Network) model. Kelp says that framing is revisionist history.
## The Technical Setup That Got Exploited
Understanding this dispute requires knowing what a verifier configuration actually does.
DVNs — essentially independent validators — confirm a message sent on one blockchain has been legitimately signed before it’s processed on the destination chain. Multiple independent DVNs checking each message is what makes the security model work: a compromised actor can’t unilaterally forge cross-chain instructions if three or four validators have to agree.
Running a **1-of-1 verifier setup** means a single entity, in this case LayerZero Labs itself, was the sole validator. Compromise that single verifier and the entire bridge is open.
On April 18, 2026, that’s exactly what happened. North Korean state-linked attackers, reportedly tied to the Lazarus Group, gained control of the verifier key and minted 116,500 unbacked rsETH tokens — draining the bridge before Kelp’s team could respond.
## What the Screenshots Show
At the center of Kelp’s case is a screenshot of a LayerZero team member writing: “No problem on using defaults either — just tagging [redacted] here since he mentioned you may have wanted to use a custom DVN setup for verifying messages, but will leave that to your team!”
“Defaults,” Kelp argues, referred to the 1-of-1 LayerZero Labs DVN configuration — the exact setup LayerZero later blamed for enabling the hack.
Further damaging for LayerZero: its own Immunefi bug bounty scope explicitly **excludes** rewards for “impacts to OApps themselves as a result of their own misconfiguration” — including verifier network choices. Kelp cites eight integration discussions over 2.5 years, plus LayerZero’s OFT Quickstart guide and developer examples, as proof that LayerZero routinely guided builders toward this configuration while treating it as an application-level choice rather than a critical security decision.
CoinDesk, which first reported the story, said it couldn’t independently authenticate the screenshots. LayerZero hasn’t yet issued a formal response to Kelp’s memo.
## Recovery Efforts and What Kelp Did Next
Standard Chartered analysts observed that an AAVE-led rescue operation helped stabilize rsETH pricing after the exploit briefly rattled DeFi lending markets. JPMorgan took a harder line, flagging the hack in a research note as a drag on DeFi’s institutional appeal.
Funds from the hack have not been recovered. North Korea’s Lazarus Group has now stolen an estimated $3 billion-plus from crypto projects over several years — by far the most prolific single threat actor in the sector.
Kelp has since migrated its rsETH cross-chain infrastructure away from LayerZero entirely, switching to **Chainlink CCIP** (Cross-Chain Interoperability Protocol), citing more conservative multi-party verification defaults. Nearly half of LayerZero contracts surveyed after the incident were found to have used just one validator — a finding that suggests the configuration problem may have been far more widespread than Kelp’s case alone.
## Why This Matters Beyond One Exploit
Bridge hacks aren’t new. Collectively, they’ve drained billions from cross-chain infrastructure over the past three years — Ronin, Wormhole, Nomad, and now Kelp. Security is complex when coordinating across multiple chain environments, and misconfiguration risks are catastrophic rather than merely inconvenient.
What makes the Kelp-LayerZero dispute different is the explicit accountability question it forces onto infrastructure providers. When default configurations ship insecurely and developers follow standard guidance, who bears the legal and financial duty to warn? Protocols building on LayerZero, Axelar, Wormhole, or any other bridge infrastructure are watching this case to understand what it means for their own exposure.
## FAQ
**How much was stolen in the Kelp DAO hack?**
About $292 million in rsETH (re-staked ETH) was drained from Kelp’s cross-chain bridge on April 18, 2026.
**Who was behind the Kelp DAO exploit?**
Investigators have linked the attack to North Korea’s Lazarus Group, which has stolen billions from crypto protocols in recent years.
**What did Kelp DAO do after the hack?**
Kelp migrated its rsETH cross-chain operations from LayerZero to Chainlink CCIP and published a memo alleging LayerZero personnel knew about and approved the vulnerable single-verifier setup that was exploited.
*Sources: CoinDesk, Travers Smith, Standard Chartered DeFi report, Kelp DAO memo “Setting the Record Straight” (May 5, 2026), LayerZero April 19 postmortem*
