LayerZero is facing heavy criticism for its response to the recent $290 million KelpDAO exploit after the omnichain interoperability protocol blamed Kelp\u2019s 1-of-1 verifier configuration for the incident.<\/p>\n
Over the weekend, liquid restaking protocol KelpDAO was the victim of an attack that drained over $290 million in rsETH from the project after malicious actors exploited a weakness in the protocol\u2019s LayerZero-powered bridge.<\/p>\n
Two days later, LayerZero addressed the incident, which became the largest DeFi hack of 2026, just weeks after Drift Protocol\u2019s $285 million exploit<\/a> shocked the industry.<\/p>\n LayerZero attributed the \u201chighly sophisticated attack\u201d to North Korea\u2019s Lazarus Group, claiming that it was a crypto infrastructure attack rather than a protocol exploit, and affirming that \u201cthere is zero contagion to any other cross-chain assets or applications.\u201d<\/p>\n They explained that the protocol is built on a \u201cfoundation of modular, application-configurable security,\u201d using Decentralized Verifier Networks (DVNs), independent entities responsible for verifying the integrity of cross-chain messages.<\/p>\n The malicious actors allegedly poisoned downstream RPC infrastructure by \u201ccompromising a quorum of the RPCs the LayerZero Labs DVN relied upon to verify transactions.\u201d<\/p>\n Per the post, the attackers swapped binaries for a custom payload to forge messages and used DDoS attacks to force failover to the poisoned nodes, triggering the DVN into confirming fake transactions.<\/p>\n Based on this, LayerZero placed<\/a> responsibility on KelpDAO for using a 1-of-1 verifier configuration instead of the multi-DVN recommendations: \u201cThis incident was isolated entirely to KelpDAO\u2019s rsETH configuration as a direct consequence of their single-DVN setup.\u201d<\/p>\n The crypto community reacted to the post-mortem, sharing its concerns<\/a> about LayerZero\u2019s response and criticizing the protocol for placing all responsibility only on Kelp\u2019s security setup.<\/p>\n \u201cImagine building a bridge and vehicles pays to cross, the bridge collapsed and you said it\u2019s their fault for crossing the bridge. A classic clownery act from Bunch of clowns with zero accountability,\u201d X user Saint wrote<\/a>.<\/p>\n Others questioned<\/a> why LayerZero included a \u201c1-of-1\u201d configuration if the purpose of a DVN is customizable\/modular security. \u201cIf the system allows this option, it\u2019s not the fault of the customer who chose it\u2014it\u2019s a fundamental design flaw by the system that permitted it,\u201d user Ditto wrote.<\/p>\n \u201cAt the end of the day, the fact remains that the DVN RPC was compromised. DVN is a LayerZero product, and they are the ones who sold it to these teams,\u201d he continued.<\/p>\n Similarly, Chainlink community manager Zach Rynes accused<\/a> the protocol of deflecting responsibility for the compromise of their own DVN node.<\/p>\n He also criticized them for \u201cthrowing KelpDAO under the bus\u201d for trusting LayerZero Labs\u2019 setup that they \u201cwillingly support and only blocked after getting hacked, all while claiming everything worked as designed.\u201d<\/p>\n Meanwhile, Yearn Finance core team developer Artem K noted<\/a> on X that the attack was described as a compromise of an RPC node and RPC poisoning, but that their own infrastructure is what was compromised. \u201cGiven it doesn\u2019t say how the breach has occurred, I wouldn\u2019t rush re-enabling the bridges,\u201d he added.<\/p>\n Wrong Diagnosis, Wrong Fix?<\/p>\nCrypto Community Criticizes \u2018Lack Of Accountability\u2019<\/h2>\n