Kelp DAO is disputing LayerZero’s account of a $290 million rsETH bridge exploit that occurred on Sunday, claiming the compromised single-verifier setup was based on LayerZero’s own infrastructure and default configurations rather than a risky choice made against expert advice.
The liquid restaking protocol said attackers drained 116,500 rsETH tokens worth approximately $290 million by compromising LayerZero’s own verification servers. Kelp argues that the configuration LayerZero criticized was actually LayerZero’s recommended default setup, not an outlier decision made by Kelp.
LayerZero is the cross-chain messaging infrastructure that moves rsETH between blockchains using entities called DVNs (decentralized verifier networks) to verify cross-chain transfers. On Saturday, attackers poisoned the servers that LayerZero’s verifier relied on to check transactions, draining the bridge of funds.
According to sources familiar with Kelp’s response, the compromised DVN was LayerZero’s own infrastructure, not a third-party verifier. Attackers compromised two of LayerZero’s own servers that check whether cross-chain transactions are legitimate, then flooded backup servers with junk traffic to force LayerZero’s verifier onto the compromised ones.
Kelp plans to contest LayerZero’s characterization of the “1/1 configuration” as a fringe choice. A “1/1 configuration” means only a single validator must sign off on a cross-chain message for the bridge to act on it, leaving the system with no second check to catch a compromised or forged instruction.
LayerZero’s post-mortem claimed Kelp chose the 1-of-1 DVN setup despite recommendations to configure multi-DVN redundancy. However, sources said LayerZero’s own quickstart guide and default GitHub configuration point to a 1/1 DVN setup. Approximately 40% of protocols on LayerZero currently use the same configuration, the source added.
The configuration appears in LayerZero’s own V2 OApp Quickstart, where the sample layerzero.config.ts wires every pathway with one required DVN and no optional DVNs. Kelp was relying on LayerZero’s documentation and defaults when making configuration decisions, sources claimed.
Kelp stated that through a direct communications channel with LayerZero open since July 2024, LayerZero produced no specific recommendation for Kelp to change the rsETH DVN configuration. Kelp’s core restaking contracts were not touched, and the exploit was isolated to the bridge layer, the protocol added.
An emergency pause implemented 46 minutes after the drain blocked two follow-up attempts that would have released an additional $200 million in rsETH, according to Kelp.
Security researchers have sided with Kelp’s position. Yearn Finance core team developer Artem K, known as @banteg on X, published a technical review of LayerZero’s public deployment code, noting that the reference setup ships with single-source verification defaults across every major chain including Ethereum, BSC, Polygon, Arbitrum and Optimism.
Banteg’s analysis also flagged that LayerZero usually asks new operators to use its default setup, which LayerZero’s post-mortem criticized. The deployment leaves a public endpoint exposed that leaks the list of configured servers to anyone who queries it.
Chainlink community manager Zach Rynes put the situation bluntly on X, alleging that LayerZero was “deflecting responsibility” for its own compromised infrastructure and accused the company of throwing Kelp under the bus for trusting a setup LayerZero itself supported.
LayerZero has stated it will no longer sign messages for any application running a single-verifier setup, forcing a protocol-wide migration. CoinDesk reached out to LayerZero for comment but did not receive a response by publication time.
The $290 million exploit highlights ongoing vulnerabilities in cross-chain bridge infrastructure. The incident raises questions about responsibility when protocols rely on default configurations provided by infrastructure providers.
More Reads:
US Stock Markets Dip as Iran Closes Strait of Hormuz Ahead of Ceasefire Talks
Strategy’s Saylor Hints at Another Major Bitcoin Purchase as Company Eyes Semi-Monthly Dividends
If you’re reading this, you’re already ahead. Stay there, by joining the…
Discover more from Dipprofit
Subscribe to get the latest posts sent to your email.
