Key Takeaways
KelpDAO is migrating its rsETH cross-chain bridge from LayerZero to Chainlink’s Cross-Chain Interoperability Protocol (CCIP) after a $292 million exploit drained its reserves. The move abandons LayerZero’s OFT standard in favor of Chainlink’s more decentralized validation model.
“KelpDAO’s migration to Chainlink CCIP directly addresses the architectural vulnerability at the center of the exploit,” the protocol said in its announcement, highlighting a fundamental shift in its security posture following one of DeFi's largest security failures this year.
The April 18 exploit saw an attacker, preliminarily linked to North Korea’s Lazarus Group, drain about 116,500 rsETH by compromising the bridge’s security configuration. According to Chainalysis, the attack compromised off-chain infrastructure, allowing the hacker to trick the verifier into releasing funds against nonexistent transactions. The dispute centers on the 1-of-1 Decentralized Verifier Network (DVN) setup, which created a single point of failure.
The incident underscores the systemic risks in cross-chain bridge architecture, which remains a primary target for hackers in the digital asset space. KelpDAO’s public migration to a competitor puts intense pressure on LayerZero and serves as a critical case study for protocols evaluating infrastructure trade-offs between security and simplicity.
The core of the vulnerability was KelpDAO’s use of a single DVN configuration, where only LayerZero Labs was required to verify transactions. LayerZero’s postmortem stated this setup “directly contradicts” its recommended multi-DVN model. However, KelpDAO pushed back, releasing a memo titled “Setting the Record Straight,” which alleges LayerZero personnel were aware of and approved the configuration.
KelpDAO presented screenshots of conversations and pointed to LayerZero’s own developer documentation and GitHub examples, which allegedly showed a single-DVN setup as a default. Data from Dune Analytics cited by CoinGecko supported this, showing that 47% of active LayerZero applications, representing over $4.5 billion in value, used a similar 1-of-1 configuration at the time.
LayerZero has since banned single-verifier setups, stating the protocol itself “functioned exactly as intended” and that Kelp had "manually downgraded to a 1/1." The infrastructure provider also noted that a security researcher, Sujith Somraaj, had previously submitted a bug bounty report on the same attack vector, which LayerZero had rejected as an application-level misconfiguration and therefore out of scope.
In response, KelpDAO is not only switching its infrastructure provider but also adopting Chainlink’s Cross-Chain Token standard for rsETH. Chainlink’s CCIP framework replaces the single-verifier model with a decentralized network of at least 16 independent node operators, significantly mitigating the risk of a single point of failure.
The fallout from the exploit spread across the DeFi ecosystem on Ethereum, as the attacker deposited the stolen rsETH as collateral in lending markets like Aave, borrowing approximately $236 million in other assets. This forced Aave to freeze several markets to prevent further liquidity stress. In the aftermath, a "DeFi United" initiative, with contributions from LayerZero, has raised over $300 million to help restore the backing of rsETH.
This article is for informational purposes only and does not constitute investment advice.
