LayerZero and KelpDAO Clash Over Single-Verifier Bridge

LayerZero Labs and KelpDAO have publicly disputed who approved a single-verifier bridge setup that was exploited in an April 18 attack that drained roughly $292 million in value. The disagreement centers on whether KelpDAO downgraded a multi-verifier configuration to a 1-of-1 setup or whether LayerZero personnel approved the change.

The attacker removed about 116,500 rsETH from a LayerZero-powered bridge, representing roughly 18% of the liquid restaked token in circulation. At the time of the exploit, data showed that about 47% of active LayerZero application contracts used a 1-of-1 Decentralized Verifier Network, a configuration that allows a single signature to authorize cross-chain transfers.

LayerZero founder and CEO Bryan Pellegrino posted on X challenging KelpDAO’s public account. Pellegrino wrote that Kelp initially deployed using LayerZero’s default multi-DVN configuration and “manually migrated to a 1/1 config later.” He described parts of KelpDAO’s post as “completely untrue” and acknowledged he had been mistaken to assume the configuration could not be changed after initial deployment, writing, “I still carry a huge amount of cognitive dissonance here.” Pellegrino said LayerZero documentation warns developers against using a single-verifier configuration in production.

KelpDAO published Telegram screenshots that it says show a LayerZero team member writing “No problem on using defaults either” in discussions about the protocol’s expansion to layer-2 networks. KelpDAO stated these exchanges occurred across multiple conversations over 2.5 years and that no LayerZero staff member objected. In response to the exploit, KelpDAO announced it is migrating rsETH bridging from LayerZero to Chainlink’s Cross-Chain Interoperability Protocol; its public code repository lists a new CCIP RSETH contract alongside the legacy LayerZero RSETH_OFT contract.

LayerZero announced a pledge of more than 10,000 ETH toward recovery efforts on April 28. The company has since banned 1-of-1 DVN configurations for new deployments and is encouraging existing applications to migrate away from them.

Frozen ETH connected to the incident on Arbitrum remains subject to legal questions. The dispute between LayerZero and KelpDAO has shifted firms that had been cooperating on recovery into a public conflict over responsibility for configuration and operational choices.

Both parties have released messages and documents to support their accounts. The disagreement highlights a debate within decentralized finance about where responsibility lies when infrastructure is configurable by application teams and how teams document and approve security-related changes.