LayerZero is dealing with heavy criticism for its response to the latest $290 million KelpDAO exploit after the omnichain interoperability protocol blamed Kelp’s 1-of-1 verifier configuration for the incident.
Associated Studying
LayerZero Blames KelpDAO For $290M Exploit
Over the weekend, liquid restaking protocol KelpDAO was the sufferer of an assault that drained over $290 million in rsETH from the venture after malicious actors exploited a weak point within the protocol’s LayerZero-powered bridge.
Two days later, LayerZero addressed the incident, which turned the biggest DeFi hack of 2026, simply weeks after Drift Protocol’s $285 million exploit shocked the business.
LayerZero attributed the “extremely refined assault” to North Korea’s Lazarus Group, claiming that it was a crypto infrastructure assault fairly than a protocol exploit, and affirming that “there may be zero contagion to every other cross-chain property or functions.”
They defined that the protocol is constructed on a “basis of modular, application-configurable safety,” utilizing Decentralized Verifier Networks (DVNs), impartial entities answerable for verifying the integrity of cross-chain messages.
The malicious actors allegedly poisoned downstream RPC infrastructure by “compromising a quorum of the RPCs the LayerZero Labs DVN relied upon to confirm transactions.”
Per the publish, the attackers swapped binaries for a customized payload to forge messages and used DDoS assaults to power failover to the poisoned nodes, triggering the DVN into confirming faux transactions.
Based mostly on this, LayerZero placed duty on KelpDAO for utilizing a 1-of-1 verifier configuration as an alternative of the multi-DVN suggestions: “This incident was remoted completely to KelpDAO’s rsETH configuration as a direct consequence of their single-DVN setup.”
Crypto Neighborhood Criticizes ‘Lack Of Accountability’
The crypto neighborhood reacted to the autopsy, sharing its concerns about LayerZero’s response and criticizing the protocol for putting all duty solely on Kelp’s safety setup.
“Think about constructing a bridge and autos pays to cross, the bridge collapsed and also you mentioned it’s their fault for crossing the bridge. A traditional clownery act from Bunch of clowns with zero accountability,” X consumer Saint wrote.
Others questioned why LayerZero included a “1-of-1” configuration if the aim of a DVN is customizable/modular safety. “If the system permits this selection, it’s not the fault of the shopper who selected it—it’s a basic design flaw by the system that permitted it,” consumer Ditto wrote.
“On the finish of the day, the actual fact stays that the DVN RPC was compromised. DVN is a LayerZero product, and they’re those who offered it to those groups,” he continued.
Equally, Chainlink neighborhood supervisor Zach Rynes accused the protocol of deflecting duty for the compromise of their very own DVN node.
He additionally criticized them for “throwing KelpDAO underneath the bus” for trusting LayerZero Labs’ setup that they “willingly help and solely blocked after getting hacked, all whereas claiming every part labored as designed.”
In the meantime, Yearn Finance core group developer Artem Okay noted on X that the assault was described as a compromise of an RPC node and RPC poisoning, however that their very own infrastructure is what was compromised. “Given it doesn’t say how the breach has occurred, I wouldn’t rush re-enabling the bridges,” he added.
Improper Analysis, Improper Repair?
Analyst The Sensible Ape additionally claims that LayerZero made the improper analysis and provided the improper answer. Notably, the protocol’s autopsy advised migrating all functions with 1-of-1 DVN configurations to multi-DVN setups to stop comparable assaults.
Nevertheless, the analyst identified that multi-verifiers received’t cease the subsequent multi-million-dollar assault, asserting that they may fail as all DVNs learn chain states from the identical handful of RPC suppliers, that are largely clustered on AWS or GCP.
If 5 “impartial” DVNs learn from the identical three RPC suppliers, an attacker who poisons these three RPCs will poison all 5 verifiers concurrently. “If all of your verifiers get fooled in the identical approach on the similar time, the maths collapses again to 1-of-1. 5 clones aren’t 5 witnesses,” he added.
Associated Studying
To unravel this, the analyst advised that each verifier runs its personal full node on totally different consumer software program, hosted on totally different cloud suppliers, maintained by totally different ops groups, peered with totally different subsets of the Ethereum community.
“The repair isn’t multi-anything. The repair is that verifiers ought to attest to their very own substrate, not simply to chain state. till you possibly can audit a DVN’s upstream topology, which RPC suppliers, which consumer software program, which clouds, which areas, ‘M-of-N secured’ is advertising copy for a property that hasn’t truly been constructed. Lazarus didn’t break cryptography on April 18. They broke three servers,” he concluded.
Featured Picture from Unsplash.com, Chart from TradingView.com
Rubmar Garcia Read More
