Best crypto insights delivered straight to your inbox.
LayerZero founder fires back at ‘completely untrue’ KelpDAO hack claims
- Bryan Pellegrino, LayerZero’s founder, denies KelpDAO’s claim that it approved the insecure setup.
- The dispute centers on a risky single-verifier bridge configuration used before the $292M exploit.
- Pellegrino says Kelp downgraded security, while Kelp claims LayerZero implicitly signed off.
Bryan Pellegrino, founder and CEO of LayerZero Labs, has fired back at KelpDAO after the liquid restaking protocol published a long post alongside screenshots that it claims are proof that LayerZero personnel approved the single-verifier bridge configuration that was exploited in the $292 million hack on April 18.
Pellegrino said KelpDAO’s account of the events is largely untrue and that Kelp itself downgraded from a more secure default setup.
The public pointing of accusing fingers between both platforms fractures what has shaped up to be a unified front by DeFi projects that took it upon themselves to contain the fallout of the exploit, rallying under the banner “DeFi United.”
LayerZero pledged more than 10,000 ETH to Aave-led recovery efforts on April 28, according to a post from the protocol’s official account. However, the latest development begs the question of who bears responsibility for the exploit’s root cause, and so far, it seems to have turned former allies into adversaries.
Why are LayerZero and KelpDAO beefing?
In a thread posted on X on May 5, Pellegrino challenged three specific claims KelpDAO made in its announcement that it would migrate rsETH bridging from LayerZero to Chainlink’s CCIP.
“A ton of this is just completely untrue,” Pellegrino wrote. He said Kelp originally deployed with LayerZero’s default multi-DVN (Decentralized Verifier Network) configuration and “manually migrated to a 1/1 config later.”
A 1-of-1 DVN setup means a single verification signature is enough to authorize cross-chain token transfers, removing the redundancy that multi-DVN provides.
Pellegrino added that “almost 100% of the volume on a 1/1 config was rsETH,” pointing to Kelp as the dominant user of the setup that was exploited. He also noted that LayerZero’s documentation warns against using a single-verifier configuration for production applications.
In an earlier post on May 4, Pellegrino acknowledged personal conflict over the situation. “I still carry a huge amount of cognitive dissonance here,” he wrote.
Pellegrino stated that he was wrong on the assumption that someone manually changing the configs that they had helped them to set up to a 1/1 was impossible.
Based on Pellegrino’s admission, the protocol provided the infrastructure, but each application chose how to configure it. While he stated that it was easy to sit back and do nothing, he acknowledged that it was not the right approach.
KelpDAO says LayerZero signed off on the setup
KelpDAO’s May 5 post took a different position. According to Cryptopolitan’s earlier reporting, Kelp published Telegram screenshots showing a LayerZero team member writing “No problem on using defaults either” during discussions about Kelp’s L2 expansion. Kelp says those exchanges span eight discussions over 2.5 years without objection from LayerZero personnel.
Kelp announced it is migrating rsETH to Chainlink’s CCIP, calling the move a direct response to the exploit. The migration is already in progress. Kelp’s GitHub repository lists a new “CCIP (Chainlink) RSETH” contract alongside the legacy LayerZero RSETH_OFT contract, according to Cryptopolitan’s earlier coverage.
The exploit and its scale
The April 18 attack drained 116,500 rsETH, roughly 18% of the liquid restaked token in circulation, from Kelp’s LayerZero-powered bridge.
At the time of the exploit, 47% of active LayerZero OApp contracts used a 1-of-1 DVN setup, according to data cited in earlier reporting. LayerZero has since banned the configuration and is pushing migrations across its application base.
DeFi is at a crossroads
The Pellegrino-Kelp dispute will likely shape how DeFi protocols negotiate security responsibilities with infrastructure providers going forward.
LayerZero faces pressure to explain why nearly half its application base ran a configuration it now calls unacceptable. Kelp faces scrutiny over why it downgraded from a multi-verifier default, if Pellegrino’s account is accurate. The frozen ETH on Arbitrum remains in legal limbo, and the 10,000 ETH DeFi United recovery contribution from LayerZero is disappearing in the rearview mirror.
There’s a middle ground between leaving money in the bank and rolling the dice in crypto. Start with this free video on decentralized finance.
FAQs
Who was behind the $292 million Kelp bridge exploit?
Chainalysis linked the April 18 attackers to North Korea's Lazarus Group, who compromised RPC nodes used by LayerZero's verification network and launched a simultaneous DDoS attack to redirect traffic to poisoned infrastructure.
What does LayerZero's founder say about KelpDAO's claims?
Bryan Pellegrino said on May 5 that KelpDAO's account is "completely untrue," asserting that Kelp originally deployed with LayerZero's default multi-DVN configuration and later manually downgraded to the 1-of-1 verifier setup that was exploited.
Why is KelpDAO migrating from LayerZero to Chainlink CCIP?
Kelp announced the migration on May 5 as a direct response to the April 18 exploit, with the new CCIP integration already visible in Kelp's GitHub repository alongside the legacy LayerZero contract.
Disclaimer. The information provided is not trading advice. Cryptopolitan.com holds no liability for any investments made based on the information provided on this page. We strongly recommend independent research and/or consultation with a qualified professional before making any investment decisions.
CRASH COURSE
- Which cryptocurrencies can make you money
- How to boost your security with a wallet (and which ones are actually worth using)
- Little-known investment strategies that the pros use
- How to get started investing in crypto (which exchanges to use, the best crypto to buy etc)