LayerZero and KelpDAO trade accusations over $292M North Korea-linked hack

Bryan Pellegrino, founder and CEO of LayerZero Labs, has fired back at KelpDAO after the liquid restaking protocol published a long post alongside screenshots that it claims are proof that LayerZero personnel approved the single-verifier bridge configuration that was exploited in the $292 million hack on April 18.

Pellegrino said KelpDAO’s account of the events is largely untrue and that Kelp itself downgraded from a more secure default setup.

The public pointing of accusing fingers between both platforms fractures what has shaped up to be a unified front by DeFi projects that took it upon themselves to contain the fallout of the exploit, rallying under the banner “DeFi United.”

LayerZero pledged more than 10,000 ETH to Aave-led recovery efforts on April 28, according to a post from the protocol’s official account. However, the latest development begs the question of who bears responsibility for the exploit’s root cause, and so far, it seems to have turned former allies into adversaries.

Why are LayerZero and KelpDAO beefing?

In a thread posted on X on May 5, Pellegrino challenged three specific claims KelpDAO made in its announcement that it would migrate rsETH bridging from LayerZero to Chainlink’s CCIP.

“A ton of this is just completely untrue,” Pellegrino wrote. He said Kelp originally deployed with LayerZero’s default multi-DVN (Decentralized Verifier Network) configuration and “manually migrated to a 1/1 config later.”

A 1-of-1 DVN setup means a single verification signature is enough to authorize cross-chain token transfers, removing the redundancy that multi-DVN provides.

Pellegrino added that “almost 100% of the volume on a 1/1 config was rsETH,” pointing to Kelp as the dominant user of the setup that was exploited. He also noted that LayerZero’s documentation warns against using a single-verifier configuration for production applications.

In an earlier post on May 4, Pellegrino acknowledged personal conflict over the situation. “I still carry a huge amount of cognitive dissonance here,” he wrote.

Pellegrino stated that he was wrong on the assumption that someone manually changing the configs that they had helped them to set up to a 1/1 was impossible. 

Based on Pellegrino’s admission, the protocol provided the infrastructure, but each application chose how to configure it. While he stated that it was easy to sit back and do nothing, he acknowledged that it was not the right approach.

KelpDAO says LayerZero signed off on the setup

KelpDAO’s May 5 post took a different position. According to Cryptopolitan’s earlier reporting, Kelp published Telegram screenshots showing a LayerZero team member writing “No problem on using defaults either” during discussions about Kelp’s L2 expansion. Kelp says those exchanges span eight discussions over 2.5 years without objection from LayerZero personnel.

Kelp announced it is migrating rsETH to Chainlink’s CCIP, calling the move a direct response to the exploit. The migration is already in progress. Kelp’s GitHub repository lists a new “CCIP (Chainlink) RSETH” contract alongside the legacy LayerZero RSETH_OFT contract, according to Cryptopolitan’s earlier coverage.

The exploit and its scale

The April 18 attack drained 116,500 rsETH, roughly 18% of the liquid restaked token in circulation, from Kelp’s LayerZero-powered bridge.

At the time of the exploit, 47% of active LayerZero OApp contracts used a 1-of-1 DVN setup, according to data cited in earlier reporting. LayerZero has since banned the configuration and is pushing migrations across its application base.

DeFi is at a crossroads

The Pellegrino-Kelp dispute will likely shape how DeFi protocols negotiate security responsibilities with infrastructure providers going forward.

LayerZero faces pressure to explain why nearly half its application base ran a configuration it now calls unacceptable. Kelp faces scrutiny over why it downgraded from a multi-verifier default, if Pellegrino’s account is accurate. The frozen ETH on Arbitrum remains in legal limbo, and the 10,000 ETH DeFi United recovery contribution from LayerZero is disappearing in the rearview mirror.

Your bank is using your money. You’re getting the scraps. Watch our free video on becoming your own bank