Login
Sign Up
DeFi protocol Kelp DAO announced on Tuesday its decision to migrate its restaking token, rsETH, to the Chainlink oracle platform, marking a strategic pivot in the wake of a $292 million exploit that occurred in April. The incident, which unfolded on April 18, saw hackers steal 116,500 Kelp DAO restaked ETH tokens via the protocol's LayerZero-powered bridge before utilizing them as collateral on Aave v3 to borrow wrapped Ether. In response to the security failure, Kelp DAO stated that the migration to Chainlink CCIP is a necessary step to ensure the full security of rsETH, effectively severing ties with the infrastructure implicated in the attack. This move underscores the severity of the breach, which stands as one of the year's largest security incidents, triggering broader ecosystem contagion and destabilizing the interconnected crypto lending market.
At the heart of the crisis lies a contentious dispute regarding liability for the vulnerability. A day after the exploit, LayerZero released a postmortem attributing the hack to an inadequate setup within Kelp's decentralized verifier network (DVN). LayerZero argued that the protocol relied on a single LayerZero DVN as the only verified path, failing to implement multiple independent checks required to validate cross-chain transactions securely. The infrastructure provider emphasized that it had explicitly advised against such a configuration, suggesting that the failure stemmed from Kelp's operational choices rather than a flaw in the underlying technology. Data compiled by Woofun AI indicates that this specific configuration debate has become a focal point for security audits across the sector.
Kelp DAO, however, rejected this narrative, asserting that the 1-1 setup is the default configuration for many protocols. Citing data from analytics platform Dune, the protocol noted that roughly half of LayerZero users operate with a single DVN. Kelp DAO further accused LayerZero of approving the setup and failing to issue adequate warnings regarding the associated security risks. The protocol highlighted that it has operated on LayerZero infrastructure since January 2024 and maintained open communication channels throughout, with the DVN configuration being confirmed as secure on multiple occasions during these interactions. Woofun AI notes that this divergence in technical accountability highlights the fragility of trust in cross-chain messaging standards.
In the aftermath of the hack, LayerZero announced a policy shift, stating it will no longer validate or approve cross-chain messages for any application relying on a single verifier. The organization is currently in the process of migrating protocols using this setup to a multi-DVN architecture to prevent recurrence. Bryan Pellegrino, co-founder and CEO of LayerZero, responded directly to Kelp DAO's claims on X, labeling a significant portion of their assertions as completely untrue. He argued that Kelp originally utilized the default multi-DVN configuration but later manually changed to a 1/1 setup, a move he described as not recommended for production applications.
Pellegrino elaborated that the defaults referenced in Kelp's screenshots were either multiDVN or DeadDVN, the latter of which force-rejects an application using defaults and requires manual configuration. He clarified that rsETH was originally configured to use the default LayerZero setup, which included a multiDVN arrangement involving LayerZero Labs and Google. Pellegrino further stated that a complete postmortem conducted by external security firms would be published soon to provide an independent assessment of the incident. This upcoming report is expected to clarify the technical nuances of the configuration changes and the timeline of communication between the two parties.
The broader context of the attack points to sophisticated threat actors, with North Korea-linked hackers suspected of orchestrating the breach on Kelp DAO. These same actors are believed to be responsible for the April 1 exploit of the decentralized exchange Drift, which resulted in a total loss of $285 million. The convergence of these high-value attacks suggests a coordinated effort to target cross-chain bridges and lending protocols. Woofun AI analysis suggests that the industry must now re-evaluate the security assumptions of single-point-of-failure architectures in cross-chain messaging to mitigate future systemic risks.