Kelp claims that LayerZero approved the setup it blamed for $292 million bridge hack

Web3 Share Share this article Copy link X icon X (Twitter) LinkedIn Facebook Email Kelp claims that LayerZero approved the setup it blamed for $292 million bridge hack The $292M exploit, linked to North Korean hackers, led Kelp to migrate its rsETH off LayerZero's "OFT" standard to Chainlink's "CCIP." By Francisco Rodrigues , AI Boost | Edited by Aoyon Ashraf May 5, 2026, 8:21 p.m. 3 min read Make preferred on What to know : Kelp DAO claims LayerZero personnel approved the 1-of-1 verifier setup that LayerZero later blamed for the $292 million rsETH bridge hack. LayerZero's postmortem contradicted Kelp, but data showed 47% of active LayerZero OApp contracts used a 1-of-1 DVN setup. LayerZero banned it post-hack. The $292 million exploit, linked to a North Korean hacker group, led Kelp to migrate its rsETH off LayerZero's OFT standard to Chainlink's Cross-Chain Interoperability Protocol (CCIP). Kelp DAO claims that LayerZero personnel approved the 1-of-1 verifier setup, a decision LayerZero has since cited as the reason a North Korea-linked attacker drained roughly $292 million from Kelp's rsETH bridge. The claim runs counter to LayerZero's April 19 postmortem , which said Kelp's rsETH application relied on LayerZero Labs as its sole verifier and that the setup "directly contradicts" LayerZero's recommended multi-DVN model. Kelp's memo says LayerZero personnel reviewed its configurations for over 2.5 years and in eight integration discussions, without warning that a 1-of-1 setup posed a material security risk. The memo, titled “Setting the Record Straight Around the LayerZero Bridge Hack,” includes screenshots of Telegram exchanges that document LayerZero’s awareness and lack of objection to Kelp’s verifier setup. One screenshot shows a LayerZero team member saying: “No problem on using defaults either — just tagging [redacted] here since he mentioned you may have wanted to use a custom DVN setup for verifying messages, but will leave that to your team!” Kelp says the “defaults” referenced in the exchange were the 1-of-1 LayerZero Labs DVN configuration later cited by LayerZero as the application-level setup that enabled the exploit. CoinDesk could not independently authenticate the screenshot. LayerZero’s templates Kelp also points to LayerZero's bug bounty scope, OFT Quickstart and developer examples as evidence that LayerZero treated verifier-network choices as application-level configuration while showing builders a one-DVN setup. LayerZero's published bug bounty scope on Immunefi excludes from rewards "impacts to OApps themselves as a result of their own misconfiguration," including verifier networks and executors. The LayerZero OFT Quickstart and the official OFT example configuration on GitHub show LayerZero Labs as the required DVN, with no optional DVN set. Kelp's memo cites an April 19 post from Spearbit security researcher Sujith Somraaj, in which Somraaj said he had submitted a bug bounty report describing the same attack pattern and that LayerZero rejected it. "My bug bounty: not a vuln, requires all DVNs," Somraaj wrote on X. "Their deployment: removes the 'all' part. Hackers: collects $295M bounty instead." Somraaj is a prior LayerZero auditor, according to his Cantina profile . Kelp moves to Chainlink Kelp also said it is moving rsETH off LayerZero to Chainlink's Cross-Chain Interoperability Protocol . The shift moves rsETH from LayerZero's OFT standard to Chainlink's Cross-Chain Token standard. The exploit drained 116,500 rsETH, worth roughly $292 million, from Kelp's LayerZero-powered bridge. Two additional forged transactions totaling more than $100 million were signed and processed by the LayerZero Labs DVN before Kelp paused its contracts, the protocol said. LayerZero said attackers are likely linked to North Korea's Lazarus Group, who accessed the list of RPCs used by the LayerZero Labs DVN, compromised two RPC nodes and swapped out the binaries running on them. The attackers then launched a DDoS attack against uncompromised RPC nodes, forcing a failover to the poisoned ones. LayerZero said the DVN then confirmed transactions that had not occurred. Kelp argues the 1-of-1 setup was widespread. CoinGecko, citing Dune Analytics data, said 47% of roughly 2,665 active LayerZero OApp contracts ran a 1-of-1 DVN configuration over a 90-day period ending around April 22, with more than $4.5 billion in associated market value exposed to the same class of risk. LayerZero's postmortem said the protocol "functioned exactly as intended." The company said it would no longer sign messages for any application running a 1-of-1 configuration, a policy change that took effect after the hack. Kelp alleges that its team had to flag the exploit to LayerZero rather than the other way around, raising questions about LayerZero's monitoring. The memo also alleges substantial overlap in addresses granted ADMIN_ROLE on both the LayerZero Labs DVN and the Nethermind DVN, listing ten on April 8, 2026 and five additional on February 6, 2025. CoinDesk has not independently verified the onchain claim. LayerZero did not respond to a request for comment by publication. On at least two integrated chains, Dinari and Skale, the LayerZero Labs DVN is still listed as the only available attestor, according to the documentation. On-chain Data Web3 AI Disclaimer: Parts of this article were generated with the assistance from AI tools and reviewed by our editorial team to ensure accuracy and adherence to our standards . For more information, see CoinDesk's full AI Policy . More For You Elon Musk's X to deploy scam kill switch by auto-locking first-time crypto mentioners By Francisco Rodrigues | Edited by Stephen Alpher Apr 2, 2026 The move comes in response to a wave of phishing attacks using fake copyright emails and is the latest in an attempt to shut down crypto-linked scams on the platform. What to know : X will auto-lock accounts posting about crypto for the first time to reduce scam activity, according to its Head of Product Nikita Bier. The move comes in response to a wave of phishing attacks using fake copyright emails and is the latest in an attempt to shut down crypto-linked scams... Read full story Latest Crypto News Strategy posts $12.54 billion Q1 loss on declining bitcoin price 16 minutes ago Drift outlines a recovery plan for users after $295 million DPRK-linked exploit 1 hour ago Tokenization won't disrupt banking rails but improve them, Wall Street executives say 1 hour ago Bitcoin extends gains to $81,500 as tokenization push lifts Bullish, Galaxy, Centrifuge 1 hour ago Rep. Steven Horsford pitches PARITY Act as 'durable floor' for crypto tax at Consensus Miami 2 hours ago Solana’s 'Alpenglow' upgrade could arrive next quarter, co-founder Yakovenko says 2 hours ago Top Stories Ripple CEO Brad Garlinghouse says Clarity better than chaos as Senate hits key moment 3 hours ago Consensus Miami Day 1: Real-time coverage and highlights from on the ground 6 hours ago Figure targets Fannie Mae and Freddie Mac in mortgage push, citing massive cost cuts for borrowers 3 hours ago Crypto's value is from being outside regulatory apparatus, says Arthur Hayes 5 hours ago Coinbase cuts 14% of staff as AI reshapes how crypto companies operate 8 hours ago Crypto.com’s high-rolling head of marketing to leave after almost six years 6 hours ago