Disclaimer: Information found on CryptoreNews is those of writers quoted. It does not represent the opinions of CryptoreNews on whether to sell, buy or hold any investments. You are advised to conduct your own research before making any investment decisions. Use provided information at your own risk.
CryptoreNews covers fintech, blockchain and Bitcoin bringing you the latest crypto news and analyses on the future of money.
Kelp DAO asserts that the ‘default’ configurations of LayerZero are responsible for the significant $290 million incident.
The liquid restaking protocol indicated that the compromised verifier was part of LayerZero’s infrastructure, and the configuration it was criticized for utilizing was the onboarding default provided by LayerZero.
(Getty Images)
What to know:
- Kelp DAO is contesting LayerZero’s narrative regarding a $290 million rsETH bridge breach, asserting that the compromised single-verifier setup utilized LayerZero’s own infrastructure and standards, rather than an atypical configuration it opted against recommendations.
- Several security experts argue that LayerZero’s publicly available documentation and deployment code advocate for single-source verification across significant chains, contradicting the firm’s assertion that Kelp disregarded advice to implement multi-verifier redundancy.
- Kelp asserts that the breach was confined to the LayerZero-enabled bridge and did not affect its fundamental restaking contracts, while LayerZero has responded by committing to cease signing messages for any application employing a single-verifier setup, necessitating a widespread transition.
The well-known Spiderman meme depicting three identical superheroes pointing fingers at one another is experiencing a moment in the crypto space today.
Kelp DAO is preparing to counter LayerZero’s post-mortem of Sunday’s $290 million exploit, which essentially attributes blame to Kelp, a layer 2 source familiar with the situation informed CoinDesk. Kelp intends to challenge the cross-chain messaging firm’s assertion that it ignored persistent warnings to abandon a single-verifier setup. CoinDesk has reviewed and confirmed the memo Kelp intends to release.
Kelp is a liquid restaking protocol that accepts user-deposited ether, processes it through a yield-generating mechanism known as EigenLayer, and issues a receipt token, rsETH, in return.
LayerZero serves as the cross-chain messaging infrastructure that facilitates the transfer of rsETH between blockchains, employing entities referred to as DVNs (decentralized verifier networks) to authenticate the validity of cross-chain transfers.
On Saturday, attackers siphoned off 116,500 rsETH, valued at approximately $290 million, from Kelp’s LayerZero-powered bridge by compromising the servers that LayerZero’s verifier depended on to validate transactions.
Kelp, according to the source, plans to assert that the DVN compromised in what it describes as a “sophisticated state-sponsored attack” was LayerZero’s own infrastructure, not an external verifier.
The attackers infiltrated two of LayerZero’s own servers that verify the legitimacy of cross-chain transactions and then inundated the backup servers with junk traffic to force LayerZero’s verifier onto the compromised servers.
All this infrastructure was developed and maintained by LayerZero, not Kelp, the source maintained.
The source disputed LayerZero’s characterization of the “1/1 configuration” as a fringe option made contrary to guidance. LayerZero’s post-mortem indicated that KelpDAO chose a 1-of-1 DVN setup despite recommendations to establish multi-DVN redundancy.
A “1/1 configuration” signifies that only one validator needs to approve a cross-chain message for the bridge to act on it, resulting in a lack of a secondary check to detect a compromised or counterfeit instruction. A multi-validator configuration (such as 2/3, 3/5, etc.) guarantees that there is no single point of failure that can endorse a fraudulent message independently.
Related Posts
They added that, via a direct communication channel with LayerZero, which has been accessible since July 2024, no specific recommendation was made for Kelp to alter the rsETH DVN setup.
LayerZero’s quickstart guide and standard GitHub configuration direct towards a 1/1 DVN setup, the source informed CoinDesk, noting that 40% of protocols on LayerZero are currently utilizing the same configuration.
The setup Kelp implemented also appears in LayerZero’s own V2 OApp Quickstart, where the sample layerzero.config.ts connects every pathway with one mandatory DVN and no optional DVNs. This corresponds to the same 1/1 structure.
Kelp’s core restaking contracts were unaffected, and the exploit was limited to the bridge layer, they indicated. Its emergency pause, activated 46 minutes after the breach, thwarted two subsequent attempts that could have released an additional ~$200 million in rsETH.
CoinDesk reached out to LayerZero for a comment on this matter and did not receive a response by the time of publication.
‘Deflecting responsibility’
Security analysts are also skeptical of LayerZero’s isolated narrative, which placed the blame on Kelp.
Kelp is a liquid restaking protocol. Its primary expertise lies in staking infrastructure, EigenLayer integration, and management of liquid staking tokens. When partnering with LayerZero, Kelp depended on LayerZero’s documentation, defaults, and guidance from their team to make configuration decisions, the source asserted.
Yearn Finance core team developer Artem K, known as @banteg on X, shared a technical examination of LayerZero’s public deployment code, stating that the reference setup comes with single-source verification defaults across all major chains, including Ethereum, BSC, Polygon, Arbitrum, and Optimism.
This deployment also exposes a public endpoint that reveals the list of configured servers to anyone who queries it.
Banteg noted in his analysis that he cannot verify which configuration Kelp employed, but mentioned that LayerZero typically requests new operators to utilize its default setup, which its post-mortem criticized.
Chainlink community manager Zach Rynes expressed bluntly on X, alleging that LayerZero was “deflecting responsibility” for its own compromised infrastructure and accused the company of throwing Kelp under the bus for relying on a setup that LayerZero itself supported.
Consequently, LayerZero has stated it will no longer sign messages for any application operating a single-verifier setup, leading to a protocol-wide transition.
Read more: ‘DeFi is dead’: crypto community scrambles after this year’s biggest hack exposes contagion risk
