Kelp blames LayerZero for approving $292 million hack setup

Kelp DAO released a memo titled “Setting the Record Straight Around the LayerZero Bridge Hack,” claiming LayerZero reviewed its configurations for over 2.5 years across eight integration discussions without warning of security risks in the 1-of-1 verifier setup. A screenshot from Telegram shows a LayerZero team member stating: “No problem on using defaults either — just tagging [redacted] here since he mentioned you may have wanted to use a custom DVN setup for verifying messages, but will leave that to your team!” Kelp argues these defaults were the 1-of-1 LayerZero Labs DVN configuration that enabled the exploit, which drained 116,500 rsETH worth roughly $292 million. Two additional forged transactions exceeding $100 million were processed before Kelp paused its contracts, according to the protocol. Kelp alleges it had to flag the exploit to LayerZero, questioning the company's monitoring. Data from CoinGecko citing Dune Analytics indicates 47% of active LayerZero OApp contracts used a similar 1-of-1 setup, exposing over $4.5 billion in value. LayerZero's April 19 postmortem blamed Kelp's reliance on LayerZero Labs as the sole verifier, calling it a contradiction of recommended multi-DVN models. LayerZero has since banned 1-of-1 configurations and stated its protocol functioned as intended. A LayerZero spokesperson responded: “The claim that Kelp used default configurations of LayerZero is inaccurate. They deployed multiDVN and then manually downgraded to a 1/1.” The spokesperson added that bug bounty exclusions cover application-level choices like verifier networks. In response, Kelp is migrating rsETH to Chainlink's Cross-Chain Interoperability Protocol. LayerZero did not further comment by publication. As first reported by CoinDesk on May 5, 2026.