•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
LayerZero, a cross-chain messaging protocol, has publicly apologized for how it handled communications after a major security incident involving Kelp DAO. In an update posted on its official blog, the company acknowledged shortcomings in its initial response and said it takes direct responsibility for a critical flaw in its decentralized verifier network (DVN) configuration that enabled the exploit. The apology marks a shift toward more direct and timely transparency.
LayerZero said the core protocol was not compromised. Instead, the breach resulted from an attack on the company’s internal remote procedure call (RPC) infrastructure.
According to the update, hackers from the Lazarus Group poisoned the data source used by LayerZero Labs’ DVN, while an external RPC provider was hit by a distributed denial-of-service (DDoS) attack.
LayerZero said the issue centered on a “single-verifier setup.” The company has historically supported developer autonomy, allowing projects to choose their own security parameters for cross-chain transfers. However, LayerZero executives acknowledged they made a serious error by not restricting their own DVN from operating in a 1-of-1 mode for high-value assets.
The company said this created a single point of failure that went unnoticed. “We didn’t police what our DVN was securing, which created a risk we simply didn’t see,” the statement said, describing full ownership of the lapse.
LayerZero said the affected application accounted for just 0.14 percent of total deployments and about 0.36 percent of overall asset value secured on the network. Despite the small share, the company said the financial impact was substantial.
LayerZero said that for three weeks after the April incident, it focused on delivering a thorough technical analysis rather than addressing concerns directly. Company leaders now say this approach fell short, prioritizing exhaustive details over clear and immediate transparency.
LayerZero pledged stronger proactive measures, including increased educational efforts and active monitoring of application configurations to encourage safer practices.
LayerZero addressed questions about asset safety by pointing to continued network activity without further incidents. It said that over $9 billion in value has moved across LayerZero since mid-April.
The company also provided guidance for developers, including:
LayerZero said it revisited an unrelated internal matter from three and a half years ago, when a multisig signer inadvertently used a company device for a personal transaction. The individual was removed promptly, wallets were rotated, and new safeguards were implemented, including a custom OneSig multisig and anomaly detection tools.
The update also described ongoing development of tools such as the Console platform, which LayerZero says helps issuers manage configurations, detect anomalies, and integrate advanced signing. The company said these steps are intended to prevent similar vulnerabilities and strengthen trust in decentralized finance infrastructure.
LayerZero said it continues collaborating with external security experts to complete a full post-mortem. The company framed the incident as a reminder of the challenges in DeFi, where cross-chain bridges must balance flexibility with rigorous oversight. By acknowledging its role in single-verifier oversight, LayerZero said it is committing to evolve its ecosystem in a more responsible manner.
Premium gym chains are entering a “golden era” that is ending or already in decline, as rising operating costs collide with shifting consumer preferences toward more flexible, community-based ways to exercise. Long-term memberships are shrinking, margins are pressured by higher rents and facility expenses, and competition from smaller, more personalized…
