Kelp DAO Challenges LayerZero's Exploit Narrative
The blame game is heating up following the $290 million rsETH bridge exploit, with liquid restaking protocol Kelp DAO directly refuting LayerZero's account of the incident. While LayerZero's initial post-mortem pointed fingers at Kelp DAO for allegedly ignoring warnings about its '1/1 DVN configuration,' Kelp is now pushing back, asserting that the vulnerability stemmed from LayerZero's own infrastructure and default settings.
The $290 Million rsETH Exploit: A Recap
On Saturday, attackers successfully drained approximately 116,500 rsETH, valued at around $290 million, from Kelp DAO's LayerZero-powered bridge. The method involved compromising servers that LayerZero's verifier relied upon to validate cross-chain transactions, then overwhelming backup servers with junk traffic to force the system onto the compromised ones. This sophisticated attack highlighted a critical vulnerability in the cross-chain messaging infrastructure.
LayerZero's Initial Stance and Kelp DAO's Rebuttal
LayerZero's initial assessment suggested that Kelp DAO chose a '1-of-1 DVN setup' despite recommendations for a multi-verifier redundancy. A '1/1 configuration' means only a single validator is required to sign off on a cross-chain message, creating a single point of failure. However, sources close to Kelp DAO contend that the compromised decentralized verifier network (DVN) was LayerZero's own infrastructure, not a third-party verifier. They claim that all the infrastructure involved in the compromise was built and run by LayerZero.
Furthermore, Kelp DAO argues that the '1/1 configuration' was not a fringe choice made against advice. Instead, it was presented as an onboarding default. Evidence cited includes LayerZero's own quickstart guide and default GitHub configurations, which reportedly promote a 1/1 DVN setup. It's also suggested that as many as 40% of protocols currently operating on LayerZero utilize this same configuration, undermining LayerZero's claim that Kelp's setup was an outlier.
Implications and LayerZero's Response
This dispute has significant implications for cross-chain security and the broader LayerZero ecosystem. If Kelp DAO's claims hold true, it suggests a systemic issue with LayerZero's default configurations rather than an isolated user error. In response to the incident and the ongoing controversy, LayerZero has announced a drastic measure: it will cease signing messages for any application that continues to use a single-verifier setup. This move effectively forces a broad migration for numerous protocols, compelling them to adopt more robust multi-verifier configurations to ensure continued functionality.
The incident underscores the critical importance of robust security practices and transparent communication in the decentralized finance space. As protocols continue to build on cross-chain infrastructure, the responsibility for security, whether shared or singular, remains a central point of contention and evolution.