Almost 3 weeks ago, the KelpDAO bridge exploit began as a technical failure and quickly became a wider test of cross-chain security, protocol defaults, and accountability across decentralised finance. On April 18, attackers suspected of links to North Korea’s Lazarus Group exploited a LayerZero-powered Omnichain Fungible Token bridge connected to KelpDAO’s rsETH. The attack drained about 116,500 rsETH, with losses reported near $292 million. The core issue centred on a single-verifier setup. KelpDAO’s bridge used a 1-of-1 Decentralized Verifier Network configuration, meaning one verifier could validate high-value cross-chain activity. Critics said that the structure created a single point of failure. LayerZero later said its protocol itself was not compromised. In a public update, the team said internal RPCs used by the LayerZero Labs DVN were attacked by the Lazarus Group and had their “source of truth” poisoned, while external RPC providers were hit by DDoS attacks at the same time. LayerZero Admits Communication and Configuration Failures LayerZero opened its update with an apology, saying it had done a poor job communicating during the three weeks after the exploit. The team said it had waited for a full post-mortem but should have spoken more directly earlier. The company said the incident affected one application, equal to 0.14% of total applications, and about 0.36% of asset value on LayerZero. It also said more than $9 billion had moved across LayerZero after April 19 without other applications being affected. Still, LayerZero acknowledged a key mistake: allowing its DVN to operate as a 1-of-1 verifier for high-value transactions. The team said developers should choose their own security settings, but said LayerZero Labs failed to monitor what its DVN was securing closely enough. LayerZero said it will no longer service 1-of-1 DVN configurations. It is also moving defaults toward 5-of-5 verification where possible, and no lower than 3-of-3 on chains where only three DVNs are available. KelpDAO Moves to Chainlink After Exploit KelpDAO has now moved away from LayerZero and selected Chainlink’s Cross-Chain Interoperability Protocol. The shift makes KelpDAO one of the first major protocols to leave LayerZero after the exploit. Subsequently, the migration has now expanded beyond KelpDAO. Analyst Tom Wan noted that protocols with about $2 billion in combined TVL are moving from LayerZero to Chainlink CCIP. That includes KelpDAO with roughly $1.5 billion, SolvProtocol with about $600 million, and re with about $200 million. Chainlink CCIP uses decentralized oracle networks that require at least 16 independent node operators to validate cross-chain transactions. KelpDAO said the move directly addresses the architectural weakness involved in the attack. KelpDAO’s rsETH will also adopt Chainlink’s Cross-Chain Token standard. Chainlink said its infrastructure has supported more than $30 trillion in cross-chain transaction value. The migration follows a debate over responsibility. LayerZero said it had warned against single-verifier setups. KelpDAO and other observers argued that the 1-of-1 setup had been part of LayerZero’s default onboarding path. One analysis cited by KelpDAO said 47% of about 2,665 LayerZero applications were using the same single-verifier configuration at the time of the attack. DeFi United, Frozen ETH, and LayerZero’s Security Changes After the exploit, Aave, KelpDAO, LayerZero, and other participants formed DeFi United to help restore rsETH backing. LayerZero contributed about 10,000 ETH, including a 5,000 ETH donation and a 5,000 ETH loan to Aave. The recovery effort has raised more than $300 million in crypto. The recovery became more complicated after the Arbitrum Security Council froze 30,766 ETH linked to the exploit. Plaintiffs with terrorism-related claims against North Korea later moved to seize those funds, arguing they may be tied to the Lazarus Group. Aave has filed an emergency motion seeking to release the funds for affected users. LayerZero also addressed a separate internal issue involving a multisig signer. The company said that three and a half years ago, one signer used a multisig hardware wallet for a personal trade by mistake. LayerZero said the signer was removed, wallets were rotated, and signing practices were changed. The company said it has built OneSig, a custom multisig system designed to improve signing security across supported chains. It also plans to raise its multisig threshold from 3-of-5 to 7-of-10, where OneSig is available. LayerZero is also building Console, a platform for issuers to configure, deploy, and manage asset issuance and security. Console is expected to include alerts for unknown DVNs, unsafe settings, ownership changes, block-confirmation changes, and use of defaults. The exploit has now moved beyond one bridge failure. It has become a story about developer defaults, verifier design, RPC security, DAO recovery efforts, and whether cross-chain systems can protect high-value assets without relying on hidden or weak assumptions.
