Key Takeaways:
Cross-chain messaging protocol LayerZero has publicly admitted fault for a critical security lapse that enabled the $292 million exploit of Kelp DAO in April, committing to a network-wide security overhaul.
In a detailed post-mortem, LayerZero executives took full responsibility for allowing a high-value application to operate with a single-verifier configuration, a setup that created a single point of failure. “We didn’t police what our DVN was securing, which created a risk we simply didn’t see,” the company said, marking a significant reversal from its initial communications.
The April 18 attack, widely attributed to North Korea’s Lazarus Group, remains the largest DeFi security breach of 2026. While the core LayerZero protocol was not compromised, attackers poisoned the data source used by LayerZero Labs’ own Decentralized Verifier Network (DVN). This allowed the theft of 117,132 rsETH from Kelp DAO, a portion of which was later used as collateral on the Aave lending protocol, creating bad debt of approximately $190 million.
The incident’s fallout forces a broader industry reassessment of cross-chain bridge security and the trade-offs between developer autonomy and protocol-level safeguards. In a direct consequence, Kelp DAO announced it is migrating from LayerZero to Chainlink’s Cross-Chain Interoperability Protocol (CCIP) and has begun to restart rsETH withdrawals following initial recovery steps coordinated with Aave.
LayerZero immediately moved to eliminate the vulnerability across its ecosystem. The firm announced its DVN will no longer support 1-of-1 setups for any project. Default configurations are being upgraded to require multiple verifiers—ideally five, or a minimum of three where options are limited.
Kelp DAO confirmed it has already updated its remaining LayerZero bridging settings to require four independent attestors and increased block confirmations from 42 to 64.
The attack has also spurred a wider recovery effort. Aave spearheaded an initiative called DeFi United, which raised over $300 million in ETH to shore up affected protocols. However, legal challenges have complicated the use of some recovered funds, as a U.S. court has placed restrictions on $72 million in frozen ETH on the Arbitrum network linked to the attacker.
LayerZero stated that despite the incident, over $9 billion in value has been transferred across the protocol since mid-April without issue. The company is now rolling out new tools, including a Rust-based DVN client and an enhanced Console platform, to help projects manage configurations and detect anomalies, aiming to rebuild trust by enforcing stricter, safer standards by default.
This article is for informational purposes only and does not constitute investment advice.
