The Kelp DAO claims that LayerZero staff approved the 1-of-1 verifier setup, a decision that LayerZero has since cited as the reason a North Korea-linked attacker drained about $292 million from Kelp’s rsETH bridge.
The claim contradicts LayerZero’s April 19 postmortem, which said that Kelp’s rsETH application relied on LayerZero Labs as its sole verifier and that the setup “directly contradicts” LayerZero’s recommended multi-DVN model.
Kelp’s memo says LayerZero staff reviewed its configurations for over 2.5 years and in eight integration discussions without notice that a 1-of-1 setup posed a significant security risk.
The memo, titled “Setting the Record Straight About the LayerZero Bridge Hack,” includes screenshots of Telegram exchanges documenting LayerZero’s awareness and lack of objection to Kelp’s verifier setup.
A screenshot shows a LayerZero team member saying, “No problem using defaults either – just tagging [redacted] here, since he mentioned, you may have wanted to use a custom DVN setup to verify messages, but will leave that up to your team!” Kelp says the “standards” referenced in the exchange were the 1-of-1 LayerZero Labs DVN configuration, which was later cited by LayerZero as the application-level setup that enabled the exploit.
CoinDesk could not independently verify the screenshot.
LayerZero’s templates
Kelp also points to LayerZero’s bug bounty scope, OFT Quickstart, and developer samples as evidence that LayerZero treated verify network selection as application-level configuration while showing builders a one-DVN setup.
LayerZero’s published bug bounty scope on Immunefi excludes from rewards “impacts of OApps themselves as a result of their own misconfiguration”, including verifier networks and executors.
The LayerZero OFT Quickstart and the official OFT sample configuration on GitHub list LayerZero Labs as the required DVN with no optional DVN set.
Kelp’s memo cites a post by Spearbit security researcher Sujith Somraaj on April 19, in which Somraaj said he had submitted a bug bounty report detailing the same attack pattern and that LayerZero rejected it.
“My bug bounty: not a vuln, requires all DVNs,” wrote Somraaj on X. “Their implementation: removes the ‘all’ part. Hackers: collect $295M bounty instead.” Somraaj is a former LayerZero auditor according to his Cantina profile.
Kelp moves to Chainlink
Kelp also said it is moving rsETH from LayerZero to Chainlink’s Cross-Chain Interoperability Protocol. The switch moves rsETH from LayerZero’s OFT standard to Chainlink’s Cross-Chain Token standard.
The exploit drained 116,500 rsETH, worth around $292 million, from Kelp’s LayerZero-powered bridge. Two additional forged transactions totaling more than $100 million were signed and processed by LayerZero Labs DVN before Kelp paused its contracts, the protocol said.
LayerZero said attackers likely linked to North Korea’s Lazarus group gained access to the list of RPCs used by LayerZero Labs’ DVN, compromised two RPC nodes and replaced the binaries running on them.
The attackers then launched a DDoS attack against uncompromised RPC nodes, forcing a failover to the poisoned ones. LayerZero said DVN then confirmed transactions that had not taken place.
Kelp claims the 1-of-1 setup was widespread. CoinGecko, citing Dune Analytics data, said 47% of about 2,665 active LayerZero OApp contracts ran a 1-of-1 DVN configuration over a 90-day period ending around April 22, with more than $4.5 billion in associated market capitalization exposed to the same risk class.
LayerZero’s postmortem said the protocol “worked exactly as intended.” The company said it would no longer sign messages for any application running a 1-of-1 configuration, a policy change that took effect after the hack.
Kelp claims its team had to flag the exploit to LayerZero instead of the other way around, raising questions about LayerZero’s monitoring.
The memo also claims significant overlap in addresses given ADMIN_ROLE on both LayerZero Labs DVN and Nethermind DVN, with ten listed on April 8, 2026, and five more on February 6, 2025. CoinDesk has not independently verified the onchain claim.
LayerZero did not respond to a request for comment by the time of publication.
On at least two integrated chains, Dinari and Skale, LayerZero Labs’ DVN is still listed as the only available attestor, according to the documentation.
