KelpDAO has released a rebuttal called “Setting the Record Straight Around the LayerZero Bridge Hack.” The team claims that LayerZero is “blaming users for an issue that was caused by their own infrastructure failure.” The protocol posted screenshots of a conversation in Telegram between a Kelp employee and an alleged employee of LayerZero, who confirmed that Kelp’s 1-of-1 configuration and assured the team that its Decentralized Verifier Network (DVN) was run with “full monitoring and alerting.”
The exploit came from the Lazarus Group in North Korea (though not fully confirmed), who compromised Remote Procedure Call (RPC) nodes operated by LayerZero Labs, then forged cross-chain communication messages that were accepted by Kelp’s single verifier DVN as legitimate. Two additional forged transactions totaling over USD 100 million were signed and processed before Kelp paused its contracts.
Why blame LayerZero?
Kelp team argues that 1-of-1 was not Kelp’s unique mistake but the industry standard LayerZero itself shipped, as evidenced by Kelp’s use of published Dune statistics, which show that, at the time of the exploit, 47 percent of roughly 2,665 active LayerZero Omnichain Applications (OApps) were running a 1-of-1 DVN configuration, with more than USD 4.5 billion in associated market value exposed to the same class of risk. The LayerZero Omnichain Fungible Token (OFT) Quickstart and official OFT example configuration on GitHub both show LayerZero Labs as the required DVN, with no optional DVN configured.
What is Chainlink CCIP?
Chainlink’s Cross-Chain Interoperability Protocol (CCIP) takes a fundamentally different security approach. For example, instead of allowing application-level configuration of verifiers, CCIP uses a multi layer security model where each bridge connection is secured by a minimum of 16 independent node operators. A separate Risk Management Network will help prevent cross-chain attacks by acting as an additional layer of protection or “circuit breaker.” So far, Chainlink’s infrastructure has supported over USD 30 trillion in onchain transaction value to date.
Key differences between LayerZero and Chainlink infrastructures
| Feature | LayerZero (Kelp’s setup) | Chainlink CCIP |
|---|---|---|
| Verification model | Single DVN (1-of-1 configuration) | 16+ independent node operators |
| Security layers | Two (oracle + relayer) | Three (DON + Risk Management + smart contracts) |
| Default configuration | 1-of-1 via Quickstart templates | Multi-operator required |
| Attack mitigation | None for misconfiguration | Risk Management Network can pause suspicious activity |
What about the assets’ recovery plan after the KelpDAO exploit?
As part of the ongoing DeFi United initiative by the ecosystem (formed after the attack to restore rsETH’s backing), over USD 300 million in crypto has been committed already. LayerZero alone contributed about 10,000 ETH, including a 5,000 ETH donation and a 5,000 ETH loan to Aave Protocol.
However, a U.S. federal court froze 30,766 ETH (approximately USD 73 million) that the Arbitrum Security Council had recovered, after plaintiffs with up to 26 years-old terrorism judgments against North Korea claimed the assets belong to the DPRK. To this point, Aave has filed an emergency motion to vacate the freeze, arguing that “a thief does not own what he steals.”
The debate is on fire, from the frozen fund by the court, to who’s to blame for the exploit happening. As the space matures, so does the protocols’ security, and hackers, of course.