Kelp Blames LayerZero for $292 Million Hack, Plans Switch to Chainlink
KelpDAO attributes a $292 million exploit mainly to weaknesses in LayerZero’s cross-chain infrastructure, stating attackers compromised a single-verifier (1-of-1 DVN) setup, allowing them to approve fraudulent transactions. The exploit, linked to North Korea’s Lazarus Group, drained about 116,500 rsETH from Kelp’s protocol in April 2024. Kelp claims LayerZero’s personnel approved the insecure configuration, did not warn of its risks, and only changed practices after significant losses. According to Kelp, the vulnerable setup was widely used and followed LayerZero’s default documentation. LayerZero disputes these claims, arguing Kelp’s use of a single verifier went against recommended guidelines. In response to the breach, Kelp is relaunching its system on Chainlink’s cross-chain protocol, which uses multiple independent validators to enhance security. About $71 million of the stolen crypto was frozen on Arbitrum, resulting in a legal battle in New York. Kelp is aiming for stronger infrastructure to prevent similar risks in the future. LayerZero has not provided further comment.
