The trust crisis within the cross-chain protocol industry has moved into a stage of accountability. The LayerZero team has issued a formal apology for its initial response to the Kelp exploit, admitting to systemic security flaws that contributed to one of the year’s largest financial losses.
Timeline and Scale of the Disaster
On April 17, the liquid restaking protocol Kelp fell victim to an attack that saw approximately $292 million in rsETH drained via the LayerZero bridge.
Investigations revealed that the root cause was not a flaw in the smart contract code itself, but rather a compromise of infrastructure. The critical factor was the 1/1 DVN (Decentralized Verifier Network) configuration—a setup where only a single verifier’s signature was required to authorize a transaction.
From Denial to Admission
LayerZero’s initial reaction was defensive, placing the blame squarely on the Kelp team and labeling the incident a “local issue.” However, the expert community was quick to uncover an uncomfortable truth:
- The “Default” Standard: The single-verifier configuration was, in fact, the standard recommendation provided by LayerZero during integration.
- Widespread Risk: According to Dune analytics, nearly 47% of all applications in the LayerZero ecosystem were using the same insecure scheme at the time of the attack.
“We handled communication terribly over the last three weeks. We prioritized completeness in the form of a comprehensive analysis when we should have started with candor. We made a mistake by allowing our DVN to act as a 1/1 for high-value transactions. We simply didn’t see the risk,” LayerZero stated.
A New Security Strategy
To regain the trust of users and developers, LayerZero has announced a radical overhaul of its security protocols:
Key Changes:
- Abandoning Single Verifiers: The minimum threshold is now set to 3/3, with 5/5 becoming the new default standard.
- Client Diversification: The development of a second independent DVN client to eliminate single points of failure.
- Launch of “Console”: A centralized platform for asset issuers to monitor security anomalies and suspicious activity.
- Strengthening Multisig: The threshold for management across all networks has been raised from 3/5 to 7/10.
Aftermath: Kelp’s Migration
Despite the belated apology, the relationship between the two projects remains strained. The friction regarding the cause of the exploit forced the Kelp team to take drastic action.
In early May, the project announced it would migrate its operations to Chainlink’s CCIP (Cross-Chain Interoperability Protocol), which is marketed as a more secure alternative in the current market climate.
