LayerZero said late Friday US time that it “made a mistake” by allowing its own verification infrastructure to secure high-value cryptoassets in a vulnerable configuration, marking a notable shift in tone after weeks of blaming developer Kelp DAO for a $292 million hack linked to North Korean attackers.
The admission marks a remarkable shift after weeks of public finger-pointing between LayerZero and Kelp over responsibility for the April hack, which LayerZero had initially framed as an application-level configuration error by Kelp.
“First things first: a belated apology,” LayerZero wrote in a blog published Friday.
LayerZero initially blamed Kelp, arguing that the protocol had opted for a risky “1-of-1” configuration where only a single decentralized verifier network, or DVN, needed to approve cross-chain transfers, creating a single point of failure. A DVN is part of the infrastructure that verifies whether a transaction that moves assets between blockchains is legitimate.
“We made a mistake by allowing our DVN to act as a 1/1 DVN for high value transactions,” the company said. “We didn’t control what our DVN secured, which created a risk we simply didn’t see. We own that.”
To address this, LayerZero Labs said their DVN will no longer serve 1/1 DVN configurations. Additionally, “all defaults on all pathways are migrated to 5/5 where possible and no less than 3/3 on any chain where only 3 DVNs are available,” the blog said.
Cross-chain bridges act as digital transfer rails between otherwise separate blockchain networks, but have long been among crypto’s most vulnerable pieces of infrastructure.
LayerZero maintained that its underlying protocol was not compromised and reiterated that developers are ultimately responsible for configuring their own security assumptions.
“The LayerZero protocol remained unaffected,” the company said, attributing the exploit to an attack on internal RPC infrastructure used by LayerZero Labs’ DVN, while external RPC providers were simultaneously hit by distributed denial-of-service attacks.
In addition, Layer Zero said that three and a half years ago, one of its signatories on our multisig used their multisig hardware wallet to execute a personal trade and intended to use their own personal hardware wallet. It is cracking down on such moves, saying: “This is obviously not ok.”
“This signer was removed from multisig, wallets rotated, and we have since updated our security practices around signing devices, added localized anomaly detection software on each device, and created a custom-built multisig called OneSig.”
Competitors, including Chainlink, are using the fallout to win business from protocols that reinvent their security providers.
Kelp has already moved its rsETH bridge to Chainlink’s competing Cross-Chain Interoperability Protocol, while Solv Protocol said this week it is migrating more than $700 million in tokenized bitcoin infrastructure away from LayerZero following a new security review.
