Kelp DAO claims that LayerZero staff approved the 1-of-1 verifier setup, a decision that LayerZero has since cited as the reason a North Korea-linked attacker siphoned approximately $292 million from Kelp’s rsETH bridge.
The claim flies in the face of LayerZero’s April 19 postmortem, which said Kelp’s rsETH app relied on LayerZero Labs as its sole verifier and that the setup “directly contradicts” LayerZero’s recommended multi-DVN model.
The Kelp memo says LayerZero staff reviewed its configurations over more than two and a half years and in eight integration discussions, without realizing that a 1-of-1 configuration posed a material security risk.
The memo, titled “Setting the record straight about the LayerZero bridge hack,” includes screenshots of Telegram exchanges documenting awareness of LayerZero and lack of objections to Kelp’s verifier setup.
A screenshot shows a member of the LayerZero team saying: “There is also no problem using the default values, just label [redacted] here, since you mentioned that you may have wanted to use a custom DVN setup to check messages, but I’ll leave that to your team! Kelp says the “defaults” referenced in the exchange were the LayerZero Labs DVN 1-of-1 configuration that LayerZero later cited as the application-level configuration that enabled the exploit.
CoinDesk was unable to independently authenticate the screenshot.
LayerZero Templates
Kelp also points to LayerZero’s bug bounty scope, OFT quickstart, and developer examples as evidence that LayerZero treated verifier network options as an application-level configuration while showing builders a single-DVN configuration.
The bug bounty scope posted by LayerZero on Immunefi excludes from the bounties “impacts on the OApps themselves as a result of their own misconfiguration”, including verification networks and executors.
The LayerZero OFT quickstart and the official OFT example setup on GitHub show LayerZero Labs as the required DVN, without any optional DVN sets.
The Kelp memo cites an April 19 post by Spearbit security researcher Sujith Somraaj, in which Somraaj said he had submitted a bug bounty report describing the same attack pattern and that LayerZero rejected it.
“My bug bounty: It’s not a vulnerability, it requires all DVNs,” Somraaj wrote on Somraaj is a former LayerZero auditor, according to his Cantina profile.
Kelp moves to Chainlink
Kelp also said it is moving rsETH from LayerZero to Chainlink’s Cross-Chain Interoperability Protocol. The change moves rsETH from LayerZero’s OFT standard to Chainlink’s Cross-Chain Token standard.
The exploit drained 116,500 rsETH, worth approximately $292 million, from Kelp’s LayerZero-powered bridge. LayerZero Labs DVN signed and processed two additional forged transactions totaling more than $100 million before Kelp suspended its contracts, according to the protocol.
LayerZero said the attackers are likely linked to North Korea’s Lazarus Group, which accessed the list of RPCs used by LayerZero Labs DVN, compromised two RPC nodes, and swapped the binaries running on them.
The attackers then launched a DDoS attack against uncompromised RPC nodes, forcing a failover on the poisoned nodes. LayerZero said the DVN later confirmed transactions that had not occurred.
Kelp maintains that the 1-of-1 configuration was widespread. CoinGecko, citing data from Dune Analytics, said that 47% of approximately 2,665 active LayerZero OApp contracts ran a 1-of-1 DVN configuration over a 90-day period ending around April 22, with more than $4.5 billion in associated market value exposed to the same class of risk.
LayerZero’s postmortem said the protocol “worked exactly as expected.” The company said it would no longer sign messages for any app running a 1-of-1 configuration, a policy change that went into effect after the attack.
Kelp alleges that his team had to point the exploit to LayerZero and not the other way around, raising questions about LayerZero’s monitoring.
The memo also alleges a substantial overlap in the addresses that were granted ADMIN_ROLE on both LayerZero Labs DVN and Nethermind DVN, listing ten on April 8, 2026 and an additional five on February 6, 2025. CoinDesk has not independently verified the on-chain claim.
LayerZero did not respond to a request for comment via post.
In at least two integrated chains, Dinari and Skale, LayerZero Labs DVN is still listed as the only available certifier, according to the documentation.
