KelpDAO Hack Update: LayerZero Details Security Changes After $292M Hack

Key Insights

• Crypto hack: LayerZero apologized for its KelpDAO exploit response and admitted it should not have allowed its DVN to operate as a sole verifier.
• LayerZero linked the $292 million exploit to compromised RPC nodes, external RPC disruption, and forged cross-chain messages.
• The protocol ended support for 1/1 verifier setups and plans broader security upgrades across its infrastructure.

LayerZero has issued a public apology over its handling of the KelpDAO crypto hack, which drained roughly $292 million in rsETH from a cross-chain bridge on April 18.

The protocol admitted its communication after the exploit failed to address core security concerns directly. It also acknowledged fault for allowing its Decentralized Verifier Network (DVN) to function as the sole verifier for high-value transactions.

The latest crypto hack update now shifts attention toward verifier reforms, RPC infrastructure controls, and new operational security standards across the LayerZero ecosystem.

LayerZero Accepts Responsibility Over Verifier Design

LayerZero said allowing a 1/1 verifier setup for high-value applications was a mistake. The protocol noted that developers controlled security configurations, but admitted it failed to monitor how its own verifier infrastructure was being used.

Under the vulnerable setup, a single verifier could approve cross-chain messages without requiring independent validation from another party.

The statement marked a reversal from LayerZero’s earlier response after the KelpDAO exploit. Initially, the company argued the protocol functioned as intended and attributed the issue to KelpDAO’s configuration choices.

KelpDAO disputed that explanation and pointed toward LayerZero onboarding documents, quickstart examples, and developer guides that treated the single-verifier model as a standard setup option.

Although LayerZero stressed the exploit affected only one application, the incident renewed concerns around bridge security and verifier concentration risks across cross-chain infrastructure.

Crypto Hack: Lazarus Group Linked to Cross-Chain Attack

LayerZero attributed the attack to North Korea’s Lazarus Group, including the subgroup known as TraderTraitor. According to the protocol, attackers compromised internal RPC nodes used by its DVN to read source-chain data. They then launched a DDoS attack against external RPC providers.

That combination forced the DVN to rely on compromised infrastructure. As a result, the verifier signed messages tied to transactions that had not taken place. The forged cross-chain message then enabled the exploit against KelpDAO’s bridge.

The company said the incident showed weaknesses in RPC fallback design and verifier dependency. It has now reworked its RPC setup to support more granular quorum controls across internal and external node providers. This change aims to reduce reliance on any single data source during network disruption or targeted attacks.

LayerZero also said a full post-mortem will follow after external security partners complete their work.

Crypto Scams: Verifier Rules and Client Diversity Change

LayerZero said its DVN no longer supports 1/1 DVN configurations. Default settings across pathways are being moved to require at least five verifiers where possible. For chains with fewer available DVNs, the protocol requires at least 3 verifiers.

The company is also building a second DVN client in Rust. The new client is meant to add client diversity and reduce dependence on a single software implementation. Client diversity can help limit shared failure points when cross-chain infrastructure processes large transaction volumes.

LayerZero is also developing Console, a platform for asset issuers to configure and monitor security settings. Console will include anomaly detection for risky configurations, giving teams more visibility into verifier setups and operational risks before assets move across chains.

These changes follow public scrutiny over how many LayerZero applications used the same single-verifier model. A Dune analysis cited by KelpDAO found that 47% of about 2,665 active LayerZero OApp contracts used that configuration at the time of the crypto scam.

Multisig Controls Face Fresh Review

LayerZero also disclosed an older operational security incident involving a multisig signer. About three and a half years ago, one signer used a production hardware wallet to execute a personal trade after intending to use a separate device. LayerZero said it removed the signer, rotated wallets, and added anomaly detection software to signing devices.

The disclosure came amid separate questions from on-chain researchers about unrelated DEX activity tied to production multisig keys. LayerZero CEO Bryan Pellegrino said some transactions involved OFT testing by former signers who are no longer part of the setup.

LayerZero said it plans to raise its multisig threshold from 3-of-5 to 7-of-10 through OneSig, an open-source multisig tool introduced last year. OneSig lets signers download transactions and hash them locally before signing, limiting the risk of unauthorized backend changes.

The crypto scam update also comes as KelpDAO and Solv Protocol move cross-chain infrastructure to Chainlink’s CCIP after the exploit. Solv said it would move more than $700 million in tokenized bitcoin, while KelpDAO became one of the first major protocols to leave LayerZero after the crypto hack.

The post KelpDAO Hack Update: LayerZero Details Security Changes After $292M Hack appeared first on The Market Periodical.