LayerZero said late Friday US time that it “made a mistake” by allowing its own verification infrastructure to protect high-value crypto assets in a vulnerable setup, marking a notable change in tone after weeks of blaming developer Kelp DAO for a $292 million hack linked to North Korean attackers.
The admission marks a notable shift after weeks of public finger-pointing between LayerZero and Kelp over responsibility for the April hack, which LayerZero had initially framed as an application-level configuration flaw on Kelp’s part.
“First things first: a belated apology,” LayerZero wrote in a blog post Friday.
LayerZero initially blamed Kelp, arguing that the protocol had chosen a risky “1 of 1” configuration in which only a single decentralized verification network, or DVN, needed to approve cross-chain transfers, creating a single point of failure. A DVN is part of the infrastructure that verifies whether a transaction that moves assets between blockchains is legitimate.
“We made a mistake by allowing our DVN to act as a 1/1 DVN for high value transactions,” the company said. “We didn’t control what our DVN was insuring, which created a risk that we simply didn’t see. We own that.”
To counter this, LayerZero Labs said its DVN will no longer serve 1/1 DVN configurations. Additionally, “all defaults on all routes are being migrated to 5/5 where possible and no less than 3/3 on any chain where only 3 DVNs are available,” the blog said.
Cross-chain bridges act as digital transfer rails between otherwise separate blockchain networks, but they have long been among cryptocurrencies’ most vulnerable pieces of infrastructure.
LayerZero maintained that its underlying protocol was not compromised and reiterated that developers are ultimately responsible for setting their own security assumptions.
“The LayerZero protocol was not affected,” the company said, attributing the exploit to an attack on the internal RPC infrastructure used by LayerZero Labs DVN, while external RPC providers were simultaneously affected by distributed denial-of-service attacks.
Additionally, Layer Zero said that three and a half years ago, one of its signers on our multisig used his multisig hardware wallet to make a personal transaction, with the intention of using his own personal hardware wallet. He is taking action against such measures and said: “This is obviously not right.”
“This signer was removed from the multisig, wallets rotated and we have since updated our security practices around signing devices, added localized anomaly detection software on each device and created a custom multisig called OneSig.”
Competitors, including Chainlink, are taking advantage of the fallout to win business with protocols that rethink their security providers.
Kelp has already moved its rsETH bridge to Chainlink’s cross-chain interoperability protocol, while Solv Protocol said this week that it is migrating more than $700 million in tokenized bitcoin infrastructure off of LayerZero following a new security review.
