LayerZero has publicly changed course, admitting it “made a mistake” after weeks of blaming Kelp DAO for a $292 million exploit tied to North Korean attackers. In a blog post published late Friday (U.S. time), the cross-chain protocol apologized and acknowledged that its own verification infrastructure was improperly allowed to secure high-value assets in a vulnerable configuration.
What happened
- In April, attackers drained $292 million from Kelp’s bridge. LayerZero initially framed the incident as an application-level misconfiguration by Kelp, pointing to a risky “1-of-1” (1/1) setup where a single decentralized verifier network (DVN) could approve cross-chain transfers — creating a single point of failure.
- LayerZero now concedes it erred by permitting its DVN to act as a 1/1 signer for high-value transactions. “We didn't police what our DVN was securing, which created a risk we simply didn't see. We own that,” the company wrote, prefacing the post with “an overdue apology.”
Technical clarifications and root cause
- LayerZero maintains the core protocol itself was not compromised. The company attributes the exploit to an attack on internal RPC infrastructure used by the LayerZero Labs DVN, occurring alongside distributed denial-of-service attacks on external RPC providers.
- A DVN is part of the verification layer that checks whether a transaction moving assets between blockchains is legitimate; cross-chain bridges like those relying on DVNs remain one of crypto’s most exposed infrastructure components.
Immediate fixes and policy changes
LayerZero outlined several concrete changes to harden its systems:
- Its DVN will no longer support 1/1 configurations for high-value flows.
- Defaults on all pathways are being migrated to 5-of-5 where possible, and no fewer than 3-of-3 on chains with only three DVNs available.
- Security improvements after an internal policy lapse were detailed: a signer who had used their multisig hardware wallet for a personal trade (three and a half years ago) was removed from the multisig, wallets were rotated, and signing-device policies were tightened. LayerZero also added localized anomaly detection to signing devices and developed a custom multisig solution called OneSig.
Market reactions and competitors
The fallout is reshaping relationships across the cross-chain space. Competitors such as Chainlink are actively courting projects reassessing their bridge security:
- Kelp has already migrated its rsETH bridge to Chainlink’s Cross‑Chain Interoperability Protocol (CCIP).
- Solv Protocol said it is moving more than $700 million in tokenized bitcoin infrastructure away from LayerZero following a fresh security review.
Why this matters
The episode highlights persistent fragility in cross-chain infrastructure and the operational risks that arise when protocol teams — not just app developers — set defaults or allow configurations that concentrate trust. LayerZero’s apology and remediation steps aim to restore confidence, but the migrations by prominent projects show that trust, once shaken, can drive rapid changes in provider selection.
LayerZero’s admission closes a fraught public exchange with Kelp and signals a sharper focus on operational responsibility from middleware providers — even as the industry continues to wrestle with the technical and governance challenges of secure cross-chain transfers.
Read more AI-generated news on: undefined/news
