Kelp DAO and LayerZero Lock Horns Over $292 Million DeFi Hack: A Blame Game Unfolds

A staggering $292 million hack has not only marked the largest DeFi theft this year but has also ignited a contentious “Rashomon” of blame between the liquidity restaking protocol Kelp DAO and cross-chain infrastructure provider LayerZero. As external scrutiny intensified, Kelp DAO issued a robust statement on Monday, vehemently refuting allegations of its negligence and squarely shifting responsibility for the security breach onto LayerZero.

The incident, which occurred on April 18th, saw Kelp DAO – a protocol built upon LayerZero’s cross-chain technology – suffer a massive exploit, resulting in the loss of 116,500 rsETH tokens, valued at approximately $292 million. This unprecedented breach now stands as the most significant DeFi hacking incident of 2024.

LayerZero’s Initial Findings: Lazarus Group and a “Single Point of Failure”

On Sunday, LayerZero was the first to release its preliminary investigation report, pointing to the notorious North Korean hacking syndicate, the Lazarus Group, as the likely perpetrators. The report detailed a sophisticated attack vector:

• Hackers initially compromised the RPC node list utilized by LayerZero’s Decentralized Verifier Network (DVN), which is responsible for authenticating cross-chain messages.
• Subsequently, two of these RPC nodes were “poisoned,” while the remaining nodes were subjected to a Distributed Denial of Service (DDoS) attack.
• This strategic maneuver forced the system to switch to the compromised nodes, enabling the DVN to receive and sign fraudulent cross-chain messages, ultimately authorizing the unauthorized token transfer.

Crucially, LayerZero’s report cast a critical light on Kelp DAO’s security architecture, specifically its adoption of an “extremely fragile ‘1-of-1 DVN’ (single verifier node) configuration.” LayerZero emphasized that this design fundamentally lacked independent verification mechanisms, creating a fatal “single point of failure” within the system that rendered it incapable of intercepting malicious cross-chain messages.

LayerZero asserted, “We, along with external experts, had previously advised Kelp DAO multiple times to decentralize their DVN node configuration to enhance security. Despite these recommendations, Kelp insisted on utilizing the 1-of-1 DVN configuration.”

Kelp DAO Fires Back: “Default Option” and “Explicit Confirmation”

In response to LayerZero’s stern accusations of disregarding security advice, Kelp DAO swiftly launched a counter-offensive on social media platform X, directly challenging LayerZero’s narrative. Kelp DAO contended that the very “1-of-1 DVN configuration” deemed responsible for the catastrophic breach was, in fact, an official byproduct of LayerZero itself.

Kelp DAO’s statement refuted LayerZero’s claims:

“The so-called single-point verification configuration is explicitly documented in LayerZero’s official technical documentation, presented as the ‘default option’ for any newly established Omnichain Fungible Token (OFT) – a token standard enabling seamless multi-chain transfers. Kelp has been operating on LayerZero’s infrastructure since January 2024, maintaining open communication channels with the LayerZero team throughout.”

Kelp DAO further elaborated that during discussions regarding the protocol’s expansion to Layer 2, the DVN configuration was thoroughly reviewed. At that time, the single verifier node default setting received “explicit confirmation as appropriate” from LayerZero’s official team.

“An accurate event reconstruction process, based on mutual consensus, is the foundation for us to collectively implement the correct remedial measures,” Kelp DAO stated, subtly implying that LayerZero should not be so quick to deflect responsibility.

Mitigation and the Path Forward

Despite the ongoing dispute over the cybersecurity vulnerability’s accountability, Kelp DAO underscored its decisive crisis management actions taken immediately after the incident. These measures included the emergency suspension of relevant smart contracts and the blacklisting of all associated hacker wallet addresses, successfully containing the damage and preventing further losses.

Currently, the Kelp team is meticulously evaluating its next steps for security enhancement, aiming to restore the protocol to secure operation as swiftly as possible.