Crypto Community Slams LayerZero: More Verifiers | Crypto News
LayerZero is dealing with heavy criticism for its response to the current $290 million KelpDAO exploit after the omnichain interoperability protocol blamed Kelp’s 1-of-1 verifier configuration for the incident.
LayerZero Blames KelpDAO For $290M Exploit
Over the weekend, liquid restaking protocol KelpDAO was the sufferer of an assault that drained over $290 million in rsETH from the project after malicious actors exploited a weak spot in the protocol’s LayerZero-powered bridge.
Two days later, LayerZero addressed the incident, which turned the biggest DeFi hack of 2026, just weeks after Drift Protocol’s $285 million exploit shocked the industry.
LayerZero attributed the “highly sophisticated attack” to North Korea’s Lazarus Group, claiming that it was a crypto infrastructure assault slightly than a protocol exploit, and affirming that “there is zero contagion to any other cross-chain assets or applications.”
They explained that the protocol is constructed on a “foundation of modular, application-configurable security,” utilizing Decentralized Verifier Networks (DVNs), unbiased entities accountable for verifying the integrity of cross-chain messages.
The malicious actors allegedly poisoned downstream RPC infrastructure by “compromising a quorum of the RPCs the LayerZero Labs DVN relied upon to verify transactions.”
Per the post, the attackers swapped binaries for a customized payload to forge messages and used DDoS assaults to drive failover to the poisoned nodes, triggering the DVN into confirming faux transactions.
Based on this, LayerZero positioned duty on KelpDAO for utilizing a 1-of-1 verifier configuration instead of the multi-DVN suggestions: “This incident was isolated entirely to KelpDAO’s rsETH configuration as a direct consequence of their single-DVN setup.”
Crypto Community Criticizes ‘Lack Of Accountability’
The crypto neighborhood reacted to the post-mortem, sharing its issues about LayerZero’s response and criticizing the protocol for inserting all duty only on Kelp’s security setup.
“Imagine building a bridge and vehicles pays to cross, the bridge collapsed and you said it’s their fault for crossing the bridge. A classic clownery act from Bunch of clowns with zero accountability,” X consumer Saint wrote.
Others questioned why LayerZero included a “1-of-1” configuration if the aim of a DVN is customizable/modular security. “If the system allows this option, it’s not the fault of the customer who chose it—it’s a fundamental design flaw by the system that permitted it,” consumer Ditto wrote.
“At the end of the day, the fact remains that the DVN RPC was compromised. DVN is a LayerZero product, and they are the ones who sold it to these teams,” he continued.
Similarly, Chainlink neighborhood supervisor Zach Rynes accused the protocol of deflecting duty for the compromise of their own DVN node.
He also criticized them for “throwing KelpDAO under the bus” for trusting LayerZero Labs’ setup that they “willingly support and only blocked after getting hacked, all while claiming everything worked as designed.”
Meanwhile, Yearn Finance core workforce developer Artem Ok famous on X that the assault was described as a compromise of an RPC node and RPC poisoning, but that their own infrastructure is what was compromised. “Given it doesn’t say how the breach has occurred, I wouldn’t rush re-enabling the bridges,” he added.
Wrong Diagnosis, Wrong Fix?
Analyst The Smart Ape also claims that LayerZero made the flawed diagnosis and supplied the flawed answer. Notably, the protocol’s post-mortem instructed migrating all functions with 1-of-1 DVN configurations to multi-DVN setups to stop related assaults.
However, the analyst identified that multi-verifiers gained’t stop the next multi-million-dollar assault, asserting that they might fail as all DVNs read chain states from the same handful of RPC suppliers, that are principally clustered on AWS or GCP.
If 5 “independent” DVNs read from the same three RPC suppliers, an attacker who poisons those three RPCs will poison all 5 verifiers concurrently. “If all your verifiers get fooled in the same way at the same time, the math collapses back to 1-of-1. Five clones are not five witnesses,” he added.
To clear up this, the analyst instructed that every verifier runs its own full node on different shopper software program, hosted on different cloud suppliers, maintained by different ops groups, peered with different subsets of the Ethereum community.
“The fix isn’t multi-anything. The fix is that verifiers should attest to their own substrate, not just to chain state. until you can audit a DVN’s upstream topology, which RPC providers, which client software, which clouds, which regions, ‘M-of-N secured’ is marketing copy for a property that hasn’t actually been built. Lazarus didn’t break cryptography on April 18. They broke three servers,” he concluded.
Stay up to date with the latest trending crypto news! Visit our web site daily for the freshest Crypto news and content, fastidiously curated to keep you informed.
