Kelp DAO rsETH migration to Chainlink’s cross-chain infrastructure is underway following the $292 million exploit in April. The DeFi protocol pinned responsibility on LayerZero’s bridge setup whilst LayerZero’s chief executive disputed the account and promised an external audit within days.
Hackers lifted 116,500 restaked ETH tokens on 18 April from Kelp DAO‘s LayerZero-powered bridge. The tokens were then used as collateral on Aave v3 to borrow wrapped Ether. Kelp DAO announced the rsETH migration to Chainlink CCIP on Tuesday, citing the need for a more secure cross-chain path after what it described as the LayerZero exploit.
Kelp DAO rsETH migration driven by DVN dispute
The argument centres on the decentralised verifier network configuration that sat behind the bridge. LayerZero released a postmortem a day after the breach arguing the hack occurred because Kelp relied on a single LayerZero DVN as the only verified path rather than requiring multiple independent checks to validate cross-chain transactions. LayerZero said it had advised against this setup.
Kelp pushed back. The protocol said Tuesday the 1-1 setup is the default and is used by roughly half of LayerZero users according to analytics platform Dune. Kelp also accused LayerZero of approving the setup and failing to warn about the related security risk.
| Metric | Detail |
|---|---|
| Amount stolen | 116,500 rsETH |
| Value at time | $292 million |
| Date | 18 April |
| Bridge provider | LayerZero |
| New provider | Chainlink CCIP |
Kelp DAO has operated on LayerZero infrastructure since January 2024 and said it maintained an open communication channel with the LayerZero team throughout. The question of DVN configuration came up multiple times and these configurations were confirmed as secure at that time, according to Kelp.
LayerZero disputes Kelp DAO rsETH migration narrative
Bryan Pellegrino, co-founder and chief executive of LayerZero, said in a reply that many of Kelp’s claims were completely untrue. He argued that Kelp originally used the defaults, which were multi-DVN, and later manually changed to a 1-1 configuration, which isn’t recommended for production applications.
Pellegrino said the defaults Kelp referenced were multiDVN or DeadDVN, which force-reject an application using the defaults at all and require manual configuration. He added that rsETH was originally configured to use the default LayerZero configuration of a multiDVN setup of LayerZero Labs and Google.
A complete postmortem by external security firms will be published soon, according to Pellegrino.
Broader contagion from the exploit
The Kelp DAO hack has been one of the year’s largest security incidents. The exploit caused broader ecosystem contagion and impacted the interconnected crypto lending market. Following the hack, LayerZero announced it will no longer validate or approve cross-chain messages for any app that relies on a single verifier. The firm is in the process of migrating protocols using the setup to a multi-DVN.
North Korea-linked hackers are suspected of being behind the attack on Kelp and the 1 April exploit of decentralised exchange Drift, which totalled $285 million.
The Kelp DAO rsETH migration closes one chapter in a dispute that will likely run until the external audit lands. Question is whether the postmortem shifts the blame or confirms the original LayerZero account of inadequate setup.
This article is for information purposes only and does not constitute investment advice. Readers should not act on any information contained here without first consulting an authorised financial adviser. Past performance is not a reliable indicator of future results.
