The fallout from the $292 million exploit of Kelp DAO in April has entered a new phase of public friction. The DeFi protocol officially announced this week that it is migrating its liquid restaking token, rsETH, to Chainlink’s Cross-Chain Interoperability Protocol (CCIP). This move follows a bitter “blame game” between Kelp and cross-chain infrastructure provider LayerZero over who is responsible for the massive security breach.
The incident, which saw hackers drain 116,500 rsETH tokens, has become one of the most significant security failures in the DeFi space this year. Beyond the immediate loss, the exploit triggered a ripple effect across the crypto lending market, particularly affecting platforms like Aave v3 where the stolen assets were used as collateral.
The Core of the Conflict: Default vs. Manual Configurations
At the heart of the dispute is a technical disagreement over Decentralized Verifier Networks (DVNs). LayerZero argues that Kelp DAO’s bridge was vulnerable because it relied on a “1-1 setup,” meaning only a single DVN was required to validate cross-chain transactions. According to LayerZero, this lack of redundancy—requiring multiple independent checks—is what allowed the hackers to bypass security.
Kelp DAO, however, pushed back on this narrative in a recent post on X. The protocol claims that the single-DVN setup was essentially the industry standard, citing Dune Analytics data showing that nearly half of LayerZero’s users utilize a similar configuration. Kelp further alleged that they had maintained open communication with LayerZero since January 2024 and were repeatedly told their configuration was secure.
LayerZero CEO Fires Back Amid North Korean Hacking Suspicions
Bryan Pellegrino, co-founder and CEO of LayerZero, has been vocal in disputing Kelp’s version of events. Pellegrino claims that Kelp DAO originally launched with a safer, multi-DVN default (utilizing both LayerZero Labs and Google) but later manually changed their settings to the vulnerable 1/1 configuration. He asserted that LayerZero’s “DeadDVN” default is designed to force applications to choose a secure path, rather than leaving them exposed by accident.
While the two teams trade accusations, the broader security community is looking toward external experts for clarity. Pellegrino noted that a comprehensive postmortem conducted by independent security firms is expected to be released shortly.
The stakes of this investigation are high; security analysts suspect that North Korean-linked hacking groups were behind the Kelp DAO breach, as well as the $285 million exploit of the Drift decentralized exchange earlier that same month. By migrating to Chainlink CCIP, Kelp DAO hopes to distance itself from the controversy and restore investor confidence through Chainlink’s “Defense-in-Depth” security model.
