Hassan Maishera
TL;DR
-
LayerZero published a blog post on Friday apologizing for poor communication following the Kelp DAO hack.
-
The protocol conceded it should not have allowed its DVN to act as a sole verifier for high-value transactions.
LayerZero issued a public apology on Friday for its handling of the fallout from the April 18 exploit that drained roughly $292 million in rsETH from Kelp DAO’s cross-chain bridge.
This apology marks a sharp shift in tone from its earlier post-mortem that claimed the protocol had “functioned exactly as intended.”
“We've done a terrible job on comms over the past three weeks,” LayerZero wrote in a blog post that was also shared on X. “We wanted to prioritize completeness in the form of a comprehensive post-mortem, but we should have led with directness.”
The protocol said its internal RPC nodes, which its Decentralized Verifier Network (DVN) relied on to read source-chain data, were compromised by North Korea’s Lazarus Group.
According to LayerZero, the attackers poisoned the nodes’ data feeds while simultaneously launching a DDoS attack against external RPC providers, forcing the DVN to rely on compromised infrastructure and approve transactions that never occurred.
LayerZero had previously linked the exploit to the Lazarus-affiliated subgroup TraderTraitor.
LayerZero Admits Mistake Over Single-verifier Setup
LayerZero also acknowledged a major point it had previously resisted — that it should never have allowed its DVN to operate as the sole verifier for high-value transactions.
The protocol wrote that,
“We believe developers should choose their own security configurations, but we made a mistake by allowing our DVN to act as a 1/1 DVN for high-value transactions. We didn't police what our DVN was securing, which created a risk we simply didn't see.”
This statement marks a significant reversal from the protocol’s initial incident statement, which blamed Kelp DAO’s configuration decisions and described the 1-of-1 DVN setup as something the project chose despite guidance.
Kelp DAO publicly rejected that narrative, pointing to LayerZero’s own documentation, quickstart guides, and developer examples as evidence that the single-verifier configuration was effectively the default onboarding setup.
A Dune Analytics study cited by Kelp found that roughly 47% of approximately 2,665 active LayerZero OApp contracts were using the same configuration when the exploit occurred.
LayerZero said the exploit impacted just one application, representing around 0.14% of total applications on the network and roughly 0.36% of the value secured through LayerZero. The company added that more than $9 billion has moved across the protocol since April 19.
The blog post also disclosed a previously unreported operational security lapse involving one of LayerZero’s multisig signers.
According to LayerZero, around three and a half years ago, a signer accidentally used a production hardware wallet to execute a personal trade instead of a separate personal device.
LayerZero said the signer was removed, wallets were rotated, and anomaly-detection software was later added to all signing devices.
The disclosure arrives as the protocol faces separate scrutiny over its multisig operational practices. On-chain researchers and security figures — including Zach Rynes — had flagged evidence suggesting production multisig keys were used for unrelated decentralized exchange activity, including a memecoin swap involving McPepes on Uniswap.
LayerZero CEO Bryan Pellegrino said those transactions were related to OFT testing by former signers who have since been removed.
LayerZero Rolls Out Security Changes
LayerZero outlined several infrastructure changes introduced since the exploit. The LayerZero Labs DVN will no longer support 1/1 DVN configurations, while default settings are being migrated to require at least five verifiers where possible, with a minimum of three on chains that only support three DVNs.
The protocol is also developing a second DVN client written in Rust to improve client diversity and has redesigned its RPC setup to provide more granular quorum controls across internal and external providers.
On the operational side, LayerZero plans to increase its multisig threshold from 3-of-5 to 7-of-10 using OneSig, an open-source multisig platform introduced last year.
OneSig enables signers to locally download and hash transactions before signing, reducing the risk of unauthorized transaction injection.
LayerZero is also building a monitoring platform called Console that will allow asset issuers to configure and oversee security settings with built-in anomaly detection tools.
The apology comes during a difficult stretch for LayerZero, as multiple projects migrate away from its infrastructure toward Chainlink’s CCIP solution.
Kelp DAO announced earlier this week that it would leave LayerZero, becoming the first major protocol to depart following the exploit.
Solv Protocol later confirmed it would move more than $700 million in tokenized bitcoin infrastructure away from LayerZero, citing security concerns.
Meanwhile, the DeFi United recovery initiative, formed after the exploit, has reportedly raised more than $300 million in ETH and stablecoins.
LayerZero contributed 10,000 ETH, split between a 5,000 ETH donation and a 5,000 ETH loan to Aave, which is facing between $124 million and $230 million in estimated bad debt tied to the incident.
The Arbitrum DAO also voted to release 30,766 frozen ETH to the recovery effort, while a judge on Friday allowed the transfer to proceed despite objections from North Korea terrorism victims and creditors.
