After the kelp dao hack, the project is moving fast to reduce exposure and rebuild trust. The incident has also revived a sharp debate over bridge security, validator design, and who approved the setup that failed on April 18.
Summary
The exploit and its immediate fallout
Kelp DAO lost about 292 million dollars when attackers drained 116.500 token rsETH from its LayerZero-based bridge. The stolen assets were then used as aave v3 collateral to borrow wrapped Ether, while two false transactions worth more than 100 million dollars were processed before Kelp paused the contracts.
According to LayerZero, the attackers were tied to north korea hackers linked to Lazarus. The company said the breach followed the compromise of RPC nodes used by LayerZero Labs’ DVN, or Decentralized Verifier Network. After that, the attackers reportedly replaced software on those nodes and launched a DDoS attack against cleaner nodes, diverting traffic to the poisoned ones.
Dispute over the DVN setup
LayerZero said in its April 19 postmortem that the bridge used a single verifier network instead of multiple independent ones. The firm argued that this approach directly contradicted its recommended configuration and created a clear bridge configuration risk.
Kelp disputed that account. The team said LayerZero reviewed the setup for about 2,5 years across eight integration discussions without flagging the single-verifier design as a security problem. Kelp also said it has Telegram screenshots in which a LayerZero team member acknowledged the configuration without objection, though CoinDesk could not verify the material independently.
Moreover, Kelp cited Dune Analytics data showing that, out of about 2.665 contracts active over a 90-day period ending around April 22, 47% used the same 1-of-1 setup. In that group, the associated value allegedly exceeded 4,5 billion dollars.
A security researcher named Sujith Somraaj, who had also audited LayerZero in the past, said he reported a similar flaw in a bug bounty submission before the hack. He said LayerZero rejected the report, which sharpened the dvn security dispute around the incident.
LayerZero pushes back
However, LayerZero CEO Bryan Pellegrino rejected Kelp’s claims on X, calling many of them completely false. He said Kelp first used the recommended multi-DVN setup and later changed it manually to 1-of-1.
LayerZero also said it will publish a postmortem from external security firms. A spokesperson added that the protocol defaults to multi-DVN in most paths, and that some 1-of-1 templates include a DeadDVN that rejects messages until developers configure the system correctly before launch.
That said, LayerZero said it will no longer sign messages for applications using a 1-of-1 configuration, making the policy effective only after the attack. Kelp, meanwhile, said its own team first identified the exploit, not LayerZero.
Shift to Chainlink CCIP
In response, Kelp is migrating rsETH from LayerZero’s OFT standard to Chainlink’s cross-chain token standard through LayerZero CCIP migration. The move is meant to reduce reliance on the contested bridge design and improve operational resilience.
Moreover, the shift comes as documentation on at least two integrated chains, Dinari and Skale, still lists the LayerZero Labs DVN as the sole attestor. For Kelp, the change marks a direct reaction to the rseth bridge exploit and the broader scrutiny now facing cross-chain infrastructure.
For now, the fallout from the Kelp DAO hack remains centered on security, accountability, and the future of bridge architecture. The dispute has become a wider test for how cross-chain systems handle trust after a major breach.
