LayerZero is dealing with heavy criticism for its response to the current $290 million KelpDAO exploit after the omnichain interoperability protocol blamed Kelp’s 1-of-1 verifier configuration for the incident.
Associated Studying
LayerZero Blames KelpDAO For $290M Exploit
Over the weekend, liquid restaking protocol KelpDAO was the sufferer of an assault that drained over $290 million in rsETH from the venture after malicious actors exploited a weak point within the protocol’s LayerZero-powered bridge.
Two days later, LayerZero addressed the incident, which grew to become the biggest DeFi hack of 2026, simply weeks after Drift Protocol’s $285 million exploit shocked the trade.
LayerZero attributed the “extremely refined assault” to North Korea’s Lazarus Group, claiming that it was a crypto infrastructure assault relatively than a protocol exploit, and affirming that “there may be zero contagion to some other cross-chain belongings or purposes.”
They defined that the protocol is constructed on a “basis of modular, application-configurable safety,” utilizing Decentralized Verifier Networks (DVNs), unbiased entities answerable for verifying the integrity of cross-chain messages.
The malicious actors allegedly poisoned downstream RPC infrastructure by “compromising a quorum of the RPCs the LayerZero Labs DVN relied upon to confirm transactions.”
Per the submit, the attackers swapped binaries for a customized payload to forge messages and used DDoS assaults to pressure failover to the poisoned nodes, triggering the DVN into confirming pretend transactions.
Primarily based on this, LayerZero positioned duty on KelpDAO for utilizing a 1-of-1 verifier configuration as a substitute of the multi-DVN suggestions: “This incident was remoted solely to KelpDAO’s rsETH configuration as a direct consequence of their single-DVN setup.”
Crypto Neighborhood Criticizes ‘Lack Of Accountability’
The crypto neighborhood reacted to the autopsy, sharing its issues about LayerZero’s response and criticizing the protocol for putting all duty solely on Kelp’s safety setup.
“Think about constructing a bridge and automobiles pays to cross, the bridge collapsed and also you stated it’s their fault for crossing the bridge. A traditional clownery act from Bunch of clowns with zero accountability,” X consumer Saint wrote.
Others questioned why LayerZero included a “1-of-1” configuration if the aim of a DVN is customizable/modular safety. “If the system permits this feature, it’s not the fault of the shopper who selected it—it’s a elementary design flaw by the system that permitted it,” consumer Ditto wrote.
“On the finish of the day, the very fact stays that the DVN RPC was compromised. DVN is a LayerZero product, and they’re those who offered it to those groups,” he continued.
Equally, Chainlink neighborhood supervisor Zach Rynes accused the protocol of deflecting duty for the compromise of their very own DVN node.
He additionally criticized them for “throwing KelpDAO below the bus” for trusting LayerZero Labs’ setup that they “willingly assist and solely blocked after getting hacked, all whereas claiming every thing labored as designed.”
In the meantime, Yearn Finance core group developer Artem Okay famous on X that the assault was described as a compromise of an RPC node and RPC poisoning, however that their very own infrastructure is what was compromised. “Given it doesn’t say how the breach has occurred, I wouldn’t rush re-enabling the bridges,” he added.
Fallacious Analysis, Fallacious Repair?
Analyst The Good Ape additionally claims that LayerZero made the flawed prognosis and supplied the flawed answer. Notably, the protocol’s autopsy advised migrating all purposes with 1-of-1 DVN configurations to multi-DVN setups to stop related assaults.
Nevertheless, the analyst identified that multi-verifiers gained’t cease the following multi-million-dollar assault, asserting that they may fail as all DVNs learn chain states from the identical handful of RPC suppliers, that are largely clustered on AWS or GCP.
If 5 “unbiased” DVNs learn from the identical three RPC suppliers, an attacker who poisons these three RPCs will poison all 5 verifiers concurrently. “If all of your verifiers get fooled in the identical means on the similar time, the maths collapses again to 1-of-1. 5 clones will not be 5 witnesses,” he added.
Associated Studying
To unravel this, the analyst advised that each verifier runs its personal full node on totally different shopper software program, hosted on totally different cloud suppliers, maintained by totally different ops groups, peered with totally different subsets of the Ethereum community.
“The repair isn’t multi-anything. The repair is that verifiers ought to attest to their very own substrate, not simply to chain state. till you’ll be able to audit a DVN’s upstream topology, which RPC suppliers, which shopper software program, which clouds, which areas, ‘M-of-N secured’ is advertising copy for a property that hasn’t truly been constructed. Lazarus didn’t break cryptography on April 18. They broke three servers,” he concluded.
Featured Picture from Unsplash.com, Chart from TradingView.com