LayerZero Acknowledges Fault After Weeks of Blaming Kelp DAO
In a stunning reversal that has sent ripples through the decentralized finance (DeFi) ecosystem, interoperability protocol LayerZero has admitted that it 'made a mistake' in the handling of the $292 million Kelp DAO exploit. The admission came after weeks of publicly framing the incident as a developer configuration failure on the part of Kelp DAO, the liquid restaking protocol that lost nearly $300 million to attackers linked to North Korea.
On May 9, 2026, LayerZero CEO Bryan Pellegrino issued a statement acknowledging that the company 'owns' the decision to allow its own verifier network—known as the LayerZero Decentralized Verifier Network (DVN)—to secure high-value transfers in a setup that Pellegrino described as 'vulnerable from the start.' The acknowledgment marks a significant departure from earlier statements that pinned the blame entirely on Kelp DAO for misconfiguring its security parameters.
The Exploit: What Happened
The $292 million heist, attributed to the infamous Lazarus Group, took place on May 2, 2026. Attackers exploited a vulnerability in the cross-chain bridge mechanism used by Kelp DAO to transfer its rsETH token between Ethereum and Arbitrum. At the time, LayerZero maintained that its protocol was not compromised and that the exploit resulted from a 'developer misconfiguration' in Kelp's security settings. However, internal investigations later revealed that the vulnerability stemmed from LayerZero's decision to rely on its own DVN for securing high-value assets—a configuration that bypassed the additional security layers that clients typically deploy.
According to a post-mortem shared with CoinDesk, the attackers targeted internal RPC (Remote Procedure Call) infrastructure that LayerZero's DVN uses to communicate with blockchain nodes. By compromising these RPC endpoints, the attackers were able to manipulate message verification and approve fraudulent cross-chain transfers. The exploit netted $292 million in various cryptocurrencies, including ETH, wstETH, and USDC, most of which was quickly laundered through mixers and cross-chain swaps.
The Fallout: A Massive Exodus to Chainlink
The fallout from the admission has been swift and severe. Within hours of LayerZero's statement, Kelp DAO announced it would immediately migrate its rsETH bridge infrastructure to Chainlink's Cross-Chain Interoperability Protocol (CCIP), citing 'irreparable damage to trust.' The move involves more than $4 billion in total value locked (TVL) that was previously secured by LayerZero's bridge.
Solv Protocol, a tokenized bitcoin infrastructure platform, followed suit, announcing it would move over $700 million in tokenized bitcoin assets—representing the bulk of its SolvBTC product—away from LayerZero to Chainlink's CCIP. Solv Protocol's CEO, Ryan Chow, stated that 'LayerZero's admission confirms what we feared: internal DVNs create a single point of failure that our clients cannot accept.'
The domino effect continued as Lombard, a liquid staking derivatives protocol managing $2.1 billion in TVL, also announced a switch to Chainlink. According to data from DefiLlama, more than $4 billion in assets have already been moved away from LayerZero's bridge in the past 48 hours, with analysts predicting further outflows as other clients reassess their security dependencies.
Background: LayerZero's Verifier Network Controversy
LayerZero's architecture relies on a decentralized verifier network that validates cross-chain messages. The protocol allows developers to choose between LayerZero's own DVN, third-party verifiers like Chainlink or Polyhedra, or a combination of multiple verifiers for added security. However, in practice, many DeFi projects opted for LayerZero's DVN alone due to lower costs and simpler setup—a decision that the company itself encouraged through its documentation and marketing.
Critics have long warned that relying on a single verifier, especially one operated by the same team that built the protocol, introduces centralization risks. Security researcher 'dragonfly_xyz' noted on X (formerly Twitter) that 'LayerZero's DVN is not truly decentralized—it's a glorified multisig that the team controls. The Kelp exploit is exactly the kind of attack that a properly decentralized network would prevent.'
In the aftermath of the Kelp hack, several security audits have been published. One from Trail of Bits, released on May 8, found that LayerZero's DVN protocol had 'insufficient safeguards against RPC spoofing'—the exact vulnerability used in the attack. The audit noted that 'the verifier's configuration allowed an attacker to submit a fraudulent message as long as they controlled the RPC endpoint that the verifier was using to query the source chain.'
Market Impact and Industry Reaction
The $292 million exploit and subsequent client exodus have had a notable impact on the broader DeFi market. LayerZero's native token, ZRO, dropped 22% in the 24 hours following the admission, falling from $4.85 to $3.78. Rivals, notably Chainlink (LINK), saw a 15% price surge as investors bet on increased adoption of CCIP.
Industry figures have been quick to weigh in. Anatoly Yakovenko, co-founder of Solana, tweeted, 'This is a wake-up call for the entire cross-chain industry. If you build a bridge, you must assume it will be attacked. LayerZero's mistake was not the vulnerability—it was pretending it couldn't happen.' Meanwhile, Emin Gün Sirer, CEO of Ava Labs (Avalanche), stated, 'The Kelp exploit reinforces the need for multiple independent verifiers. Trust but verify—with three or more verifiers, not one.'
Regulatory attention is also mounting. The U.S. Securities and Exchange Commission (SEC) has reportedly opened a preliminary inquiry into whether LayerZero violated securities laws by misrepresenting the security of its protocol. A spokesperson for the SEC declined to comment, but sources close to the matter indicate that the agency is focusing on whether investors in protocols that used LayerZero's DVN were misled about the risk of single-verifier configurations.
LayerZero's Response and Moving Forward
In a blog post published on May 9, Pellegrino outlined the company's path forward. 'We made a mistake, and we own it,' he wrote. 'Going forward, LayerZero will require all high-value transfers—defined as those exceeding $10 million per transaction—to use a minimum of three verifiers, including at least one third-party verifier. We are also open-sourcing our DVN code and commissioning a full security audit by at least three independent firms.'
Pellegrino also announced the creation of a $50 million compensation fund for Kelp DAO users affected by the exploit, though he acknowledged that 'no amount of compensation can fully restore the trust we have lost.' The fund will be financed through a combination of LayerZero treasury reserves and a portion of future protocol fees.
Despite these measures, the damage to LayerZero's reputation may be long-lasting. The company now faces the challenge of rebuilding credibility with developers who have already voted with their feet. For now, the cross-chain bridge market appears to be consolidating around Chainlink, whose CCIP has seen a 300% increase in total value transferred since the Kelp exploit, according to data from Dune Analytics.
The broader lesson from the LayerZero-Kelp saga is a familiar one in the crypto industry: security is not a feature to be marketed but an ongoing commitment that requires transparency, multiple layers of defense, and the humility to admit mistakes. As more than $4 billion in assets flee to more conservative architectures, the market is sending a clear signal that trust, once broken, is not easily regained.
Source: Coindesk News