LayerZero Apologizes for Kelp DAO Exploit Response, Cites Verifier Fault

LayerZero published a public apology on May 8, 2026, acknowledging that its communications following the Kelp DAO exploit fell short and that a single-verifier setup fault was central to the roughly $290 million breach.

The post, titled "LayerZero Update," opened with a direct apology for how the cross-chain messaging protocol handled its response after the April 18 exploit drained approximately $290 million in rsETH from KelpDAO's bridge infrastructure.

LayerZero said its own internal RPCs used by the LayerZero Labs DVN were attacked while external RPC providers were simultaneously hit with distributed denial-of-service attacks. The company described the incident as a coordinated assault on multiple layers of its verification infrastructure.

What LayerZero Admitted About the Verifier Configuration

The core admission in LayerZero's update was that it made a mistake by allowing its Labs DVN to operate as a 1-of-1 verifier for high-value transactions. The company said it will more actively monitor unsafe configurations going forward.

A Decentralized Verifier Network, or DVN, is the component in LayerZero's architecture responsible for validating that a cross-chain message is legitimate before funds are released on the destination chain. In a 1-of-1 setup, a single entity handles all verification, creating a concentrated point of failure.

That concentrated trust proved catastrophic. Galaxy Research reported that the attacker unlocked 116,500 rsETH from Ethereum mainnet escrow by exploiting this single-verifier OFT bridge configuration. With no secondary verifier to flag the fraudulent message, the bridge released the funds.

Broader Fallout Across DeFi Markets

The exploit's effects extended well beyond KelpDAO. Galaxy Research reported that the breach froze multiple Aave markets and coincided with a $15 billion drop in DeFi total value locked, a reminder of how interconnected DeFi protocols remain, similar to the volatility that recently swept through Bitcoin markets.

LayerZero attempted to frame the scope of the damage, stating that only 0.14% of LayerZero applications were impacted and approximately 0.36% of LayerZero asset value was affected. The company also noted that more than $9 billion has moved across LayerZero since April 19, suggesting continued usage despite the breach.

KelpDAO, for its part, is not waiting for further reassurances. Decrypt reported on May 5 that KelpDAO plans to move its rsETH cross-chain system to Chainlink CCIP, abandoning LayerZero's infrastructure entirely.

According to unconfirmed reports, KelpDAO has alleged that LayerZero personnel approved the 1-of-1 verifier setup that LayerZero later cited as the root cause. This claim, reported as KelpDAO's position, has not been independently verified through KelpDAO's original memo.

Accountability and What It Signals for DeFi Infrastructure

LayerZero's preliminary attribution pointed to North Korea's Lazarus Group, specifically the TraderTraitor cluster, though this remains the company's own assessment and has not been presented as confirmed law-enforcement attribution. LayerZero said it is cooperating with multiple law-enforcement agencies.

The recovery effort has its own complications. Reports indicate a New York federal court fight over $71 million in frozen Arbitrum-linked funds is part of the broader post-exploit landscape. The legal dimension adds uncertainty for affected users, much as recent warnings about infrastructure-level attacks on Bitcoin have highlighted how protocol-layer vulnerabilities can have cascading consequences.

At press time, the ZRO token traded at $1.50, up 4.27% over the previous 24 hours, with a market cap of approximately $379 million. The broader crypto market sentiment sat at 48 on the Fear and Greed Index, firmly in neutral territory.

The public apology marks an unusual step for a major protocol. Cross-chain bridge exploits have become among the costliest categories of DeFi security failures, and LayerZero's admission that it should have prevented a single-verifier configuration on high-value routes places responsibility squarely on its own design oversight, not just the attacker's sophistication.

Whether that accountability translates into meaningful architectural changes across the broader bridge ecosystem, or simply accelerates the migration to competing solutions like Chainlink CCIP, will depend on how protocols reassess their own verifier configurations in the weeks ahead.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.