- KelpDAO says LayerZero’s own DVN infrastructure was breached on April 18, causing over $300M in DeFi losses.
- Independent researchers confirmed the attack originated inside LayerZero’s trust boundary, not from a Kelp configuration error.
- KelpDAO is migrating rsETH to Chainlink CCIP, citing Chainlink’s seven-year track record securing over $30 trillion in value.
KelpDAO is disputing LayerZero’s explanation of a security breach that happened on April 18th, which resulted in losses of over $300 million in the decentralized finance (DeFi) space.
The protocol published a comprehensive report that included insights from security researchers, internal discussions, and information from the blockchain.
KelpDAO claims the problem wasn’t a mistake they made, but a security issue with LayerZero’s own systems.
The team now uses Chainlink’s CCIP to keep rsETH secure, completing a full switch to this system.
LayerZero Infrastructure Breach Draws Independent Scrutiny
On April 18, 2026, hackers targeted LayerZero’s network, stealing more than $300 million from various DeFi platforms.
KelpDAO identified two more fake transactions worth $100 million and quickly stopped its systems to prevent any further losses.
LayerZero explained the incident as a result of an RPC-spoofing attack, but researchers from SEAL 911 and others believe the problem actually started within LayerZero’s own systems.
According to a security researcher, the recent LayerZero incident wasn’t caused by RPC poisoning, but instead by a security failure within their own systems.
A separate report indicated that the only necessary Data Verification Node (DVN) was the one identified as LayerZero on Etherscan, which greatly reduced the potential source of any problems.
SEAL 911’s investigation confirmed that hackers, strongly believed to be connected to North Korea, tricked the LayerZero network into providing a false verification.
Hackers gained access to two network points used by LayerZero’s system, then overloaded the remaining points with traffic. This tricked the system’s validators into approving a fake transaction.
LayerZero admitted in a report that attackers got into its system by accessing the addresses of its network nodes and replacing the standard software with compromised versions. Specifically, they gained access to the list of addresses, took control of two of them, and swapped out the software running on those nodes.
Following the recent security incident with LayerZero, we’re enhancing the security of rsETH by moving to the CCIP standard.
The incident on April 18th revealed that LayerZero’s systems were hacked, causing approximately $300 million in losses for users of decentralized finance (DeFi) applications.
— Kelp (@KelpDAO)
Looking at the data from Dune Analytics, I’ve found that around 47% of LayerZero OApp contracts are currently set up with a 1-to-1 DVN configuration. What’s even more significant is that over 90% of all LayerZero messages over the last 90 days have been routed through the LayerZero Labs DVN. This suggests a strong reliance on the Labs DVN for message delivery.
This statement clashes with what LayerZero’s Bryan said in December 2024. He stated then that no projects were using a specific LayerZero setup (a 1-1 DVN) – the same setup rsETH was using when it held around $200 million in value.
KelpDAO Cites Approved Configurations and Moves to Chainlink
KelpDAO says a LayerZero Labs team member specifically approved their 1-to-1 Delegated Voting Network (DVN) setup in a Telegram conversation.
For over two and a half years, and through eight separate discussions about integrating with LayerZero, no one identified this setup as a security concern. Furthermore, LayerZero’s official guides still show a basic, one-to-one configuration as the default, without mentioning or offering an alternative, more secure setup.
Researchers discovered that LayerZero’s standard setup on Amazon Web Services (AWS) left a public gateway unprotected. This gateway lacked essential security measures like user authentication, a web application firewall, and restrictions on which IP addresses could access it.
According to one report, the system was set to require only one node to be active at a time. This meant that backup systems only took over if the primary system failed, and didn’t participate in making decisions with multiple providers.
A researcher also noted that Remote Procedure Calls (RPCs) are generally accessible to the public, which supports the finding that the system didn’t rely on multiple sources to agree on information.
The system is now switching rsETH over to Chainlink’s CCIP and its standard for cross-chain tokens. Chainlink’s network of data providers has already helped secure over $30 trillion in transactions over the past seven years.
KelpDAO highlighted Chainlink’s consistent uptime, even during several widespread disruptions, making it a reliable option for future infrastructure needs.
KelpDAO pointed out a potential issue with both LayerZero Labs and Nethermind’s Designated Validator Networks having some of the same people in charge.
As of April 8th, ten addresses were identified as having administrative access to both contracts. The team believes this overlap raises concerns about whether the DVNs are functioning as separate entities.
We’ll share a complete report after the review is finished, but right now, our main focus is protecting users’ assets.
Read More
- Silver Rate Forecast
- USD ILS PREDICTION
- Gold Rate Forecast
- Brent Oil Forecast
- 🎄 Crypto’s Festive Flops: Why These Tokens Are More Grinch Than Santa! 🎁
- Story Protocol in Freefall: IP Tumbles as Bear Market Rules
- How Bitmine’s Insatiable Ethereum Appetite Is Stirring the Crypto Tea ☕🐳
- ETH PREDICTION. ETH cryptocurrency
- USD PHP PREDICTION
- TRX PREDICTION. TRX cryptocurrency
2026-05-06 14:40