•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
KelpDAO blamed LayerZero for a $292 million exploit and said it plans to relaunch its cross-chain system using Chainlink after an April incident that drained about 116,500 rsETH, an Ethereum-based staking token, from a bridge used by the protocol.
In a post on X on Tuesday, KelpDAO said the April 18 incident showed that “LayerZero's own infrastructure was exploited,” leading to “$300M in losses across DeFi.” KelpDAO cited independent reports from SEAL 911, Chainalysis, and other security researchers as pointing to the same origin.
KelpDAO said the attack involved a configuration known as a “1-of-1 verifier,” which relies on a single entity to validate cross-chain transactions. According to Kelp, attackers breached LayerZero’s infrastructure by compromising the verifier network’s RPC nodes and forcing the system to rely on tampered data, enabling fake transactions to be approved.
KelpDAO also said LayerZero later announced it would no longer sign or attest messages for applications using a 1-1 DVN configuration, calling the policy change a confirmation that the configuration was widely used and only changed after LayerZero “failed.”
In a separate post, KelpDAO said LayerZero personnel approved the configuration tied to the exploit and did not warn that it posed a security risk. KelpDAO argued that the 1-1 setup was not unique to Kelp and that it followed LayerZero’s documentation and default configurations.
KelpDAO further said the configuration was widely used across the ecosystem, pointing to data indicating a large share of applications relied on similar setups.
LayerZero disputed KelpDAO’s account in an April statement, saying the exploit was isolated to Kelp’s rsETH application and resulted from Kelp’s use of a single-verifier setup that went against the company’s recommended multi-verifier model.
KelpDAO responded that LayerZero’s framing “does not match the facts,” adding that the 1-1 configuration was publicly known and not exclusive to its system.
KelpDAO said the fallout extended beyond the technical dispute. It reported that about $71 million in crypto linked to the exploit was frozen on the Arbitrum network, leading to a legal fight in New York federal court.
KelpDAO said it is moving its rsETH system to Chainlink’s cross-chain interoperability protocol (CCIP). It said the new approach requires transactions to be approved by multiple independent validators rather than a single verifier.
Chainlink Chief Business Officer Johann Eid told Decrypt that the company is working with KelpDAO and that it believes DeFi needs “highly secure infrastructure” to reach its potential.
KelpDAO said it is “ensuring rsETH is secured by infrastructure that doesn't leave these questions open.” LayerZero did not immediately respond to a request for comment by Decrypt.
Premium gym chains are entering a “golden era” that is ending or already in decline, as rising operating costs collide with shifting consumer preferences toward more flexible, community-based ways to exercise. Long-term memberships are shrinking, margins are pressured by higher rents and facility expenses, and competition from smaller, more personalized…
