Kelp DAO, a key player in the DeFi space, has announced plans to move its restaking token, rsETH, to the Chainlink oracle platform. This decision follows a major cyberattack in April, where hackers exploited vulnerabilities and siphoned off $292 million. Even as Kelp DAO prepares this transition, the platform continues to attribute responsibility to the LayerZero infrastructure.
Details of the Attack and Infrastructure Debate
The hack took place on April 18, when attackers exploited Kelp DAO’s LayerZero-based bridge and stole 116,500 restaked ETH. The thieves then used the seized tokens as collateral on Aave v3, drawing out wrapped Ether in return. The incident stands as one of the largest security breaches within the DeFi ecosystem so far this year.
After the breach, LayerZero published an assessment report, stating that the vulnerability stemmed from Kelp DAO’s decentralized validator network (DVN) relying solely on a single LayerZero validator. LayerZero claimed it had previously warned against designs lacking multiple independent checks, which could pose security risks.
In a statement on Tuesday, Kelp DAO said, “Following the recent LayerZero exploit, we have decided to migrate rsETH to Chainlink CCIP to ensure full security.”
Kelp DAO, however, asserted that operating with a single validator (1-1 setup) is LayerZero’s default configuration and used across numerous protocols. Data from Dune Analytics show that about half of LayerZero users operate with just one DVN. The project also claimed that LayerZero approved this approach and failed to warn about its potential risks.
Escalating Accusations and Industry Response
Kelp DAO emphasized it has operated on LayerZero’s infrastructure since early 2024, staying in close communication with their team. The setup of the validator network was discussed on multiple occasions, and Kelp DAO maintained that the arrangement had been repeatedly deemed secure at the time.
In response to the incident, LayerZero now says it will no longer validate cross-chain messages from applications relying on a single validator and plans to transition such protocols to multi-validator DVN setups.
LayerZero co-founder and CEO Bryan Pellegrino posted to social media that “many of Kelp’s claims are simply false,” arguing that the default configuration is actually multi-DVN or DeadDVN, and that Kelp manually changed it to single-validator mode.
Pellegrino further explained that the original LayerZero configuration, established with Google, used multiple validators; Kelp DAO, he alleged, made manual changes to adopt the higher-risk model. He added that independent security firms will soon release comprehensive analyses of the incident.
Suspected Perpetrators and Broader Impact
Attention has also focused on the potential involvement of North Korea–linked hacking groups, suspected in several major DeFi exploits this year—including the early April attack on the decentralized exchange Drift, which recorded losses of $285 million.
These episodes have reignited debates about the security of cross-chain bridges and the design of decentralized validation processes within DeFi projects.
