LayerZero has publicly admitted it “made a mistake” in the security setup tied to the $292 million Kelp DAO exploit, marking a sharp reversal after weeks of blaming the incident on Kelp’s bridge configuration.
The statement, published late Friday U.S. time, comes after mounting criticism from developers and security researchers following the April 18 attack that drained roughly 116,500 rsETH from KelpDAO’s LayerZero-powered bridge. The exploit quickly became one of the largest cross-chain security incidents of 2026 and triggered broader concerns across the DeFi lending market.
Key Takeaways
- LayerZero Admits Security Mistake After $292M KelpDAO Exploit
- Attackers Exploited Weak 1-of-1 Verification Setup
- North Korea-Linked Lazarus Group Suspected in Bridge Attack
- LayerZero Tightens Validator Rules Following Security Fallout
- Chainlink Gains Momentum as Protocols Move Away From LayerZero
Cross-Chain Bridge Security Faces Renewed Scrutiny After KelpDAO Hack
In its latest blog post, LayerZero acknowledged that it allowed its decentralized verifier network (DVN) to operate in a risky “1-of-1” setup for high-value transactions.
The admission represents a significant change in tone. Immediately after the exploit, LayerZero argued the attack stemmed from KelpDAO’s decision to rely on a single DVN verifier instead of using multiple independent verification pathways.
KelpDAO strongly disputed that claim, saying LayerZero personnel had reviewed and approved the setup during multiple integration discussions spanning more than two years.
How the Attack Happened
According to investigations from Chainalysis and multiple security researchers, the exploit was not caused by a flaw in smart contracts themselves. Instead, attackers reportedly targeted off-chain infrastructure connected to LayerZero’s verification system.
The attackers allegedly compromised internal RPC nodes tied to the LayerZero Labs DVN while simultaneously launching distributed denial-of-service attacks against external providers. That allowed malicious transaction data to be validated and approved despite no legitimate token burn occurring on the source chain.
LayerZero said preliminary evidence points to North Korea linked Lazarus Group actors, a hacking organization previously connected to several major crypto thefts. The attackers used the stolen rsETH as collateral on Aave v3, borrowing large amounts of wrapped Ether and creating severe liquidity stress across the lending ecosystem. Galaxy Research estimated the exploiter borrowed roughly $236 million in WETH and wstETH against the stolen assets. The fallout forced Aave to freeze rsETH, wrsETH, and WETH markets across several deployments to limit additional damage.
KelpDAO later confirmed it paused contracts quickly enough to prevent another attempted theft worth approximately $95 million.
The Arbitrum Security Council also intervened by freezing more than 30,000 ETH linked to downstream movement of the stolen funds.
LayerZero Tightens Security Rules
LayerZero now says its infrastructure will no longer support 1-of-1 DVN configurations under any circumstance.
The company added that all default pathways are being upgraded to stricter verification models, including “5-of-5” configurations where possible and no lower than “3-of-3” on networks with fewer available validators.
The protocol maintained that its core messaging infrastructure was not directly compromised, arguing the exploit stemmed from weaknesses tied to the surrounding validation environment rather than the LayerZero protocol itself. Still, the company admitted its oversight created a dangerous single point of failure.
LayerZero also disclosed an unrelated internal security lapse involving one of its multisig signers. According to the company, a signer accidentally used a multisig hardware wallet for a personal trade several years ago instead of a private device. The signer was removed, wallets were rotated, and LayerZero said it has since implemented stricter operational safeguards, including localized anomaly detection systems and a custom-built multisig framework called “OneSig.”
Chainlink Gains From Fallout
The exploit has already reshaped parts of the cross-chain infrastructure market. KelpDAO confirmed it is migrating rsETH transfers away from LayerZero’s OFT standard to Chainlink’s Cross Chain Interoperability Protocol (CCIP) as part of a broader security overhaul.
The shift highlights growing competition among interoperability providers as protocols reassess bridge security following a series of major exploits across the sector.
Solv Protocol also announced plans this week to migrate more than $700 million in tokenized Bitcoin infrastructure away from LayerZero after conducting an internal security review.
The incident has reignited debate over accountability in DeFi infrastructure. While protocols often control their own security configurations, critics argue infrastructure providers still bear responsibility when risky defaults or operational weaknesses remain unchecked.
