Kelp Blames LayerZero for $292 Million Hack, Plans Switch to Chainlink

KelpDAO is blaming LayerZero for a $292 million exploit and plans to relaunch with a redesigned cross-chain strategy connected Chainlink, the radical announced connected X connected Tuesday.

“From the April 18 incident, it is wide that LayerZero's ain infrastructure was exploited, resulting successful $300M successful losses crossed DeFi,” Kelp DAO wrote connected X. “Independent reports from SEAL 911, Chainalysis, and different large starring information researchers each constituent to the aforesaid origin.”

In April, an onslaught drained astir 116,500 rsETH—an Ethereum-based staking token—from a cross-chain span utilized by Kelp, a protocol that lets users involvement Ethereum and determination tokens betwixt blockchains. The exploit has been linked to North Korea’s Lazarus Group.

In a abstracted post connected X, Kelp said LayerZero unit approved the configuration tied to the exploit and did not pass that it posed a information risk. The setup, known arsenic a 1-of-1 verifier, relies connected a azygous entity to validate cross-chain transactions.

Kelp said the onslaught stemmed from a breach of LayerZero’s infrastructure, wherever attackers compromised the verifier network’s RPC nodes and forced the strategy to trust connected tampered data, allowing fake transactions to beryllium approved.

“After the exploit, LayerZero announced it would nary longer motion oregon attest messages for immoderate exertion utilizing a 1-1 DVN configuration,” Kelp wrote. “That argumentation shift, made aft hundreds of millions of dollars were exploited, confirms that this was a wide utilized LayerZero configuration that LayerZero Labs lone changed aft it failed.”

In an April statement, LayerZero disputed that account, saying the exploit was isolated to Kelp’s rsETH exertion and resulted from its usage of a single-verifier setup that went against the company’s recommended multi-verifier model.

“That framing does not lucifer the facts,” Kelp DAO wrote. “It is simply a substance of nationalist domain that this 1-1 setup was not unsocial to Kelp.”

According to Kelp, it followed LayerZero’s documentation and default configurations. The institution besides said the setup was wide utilized crossed the ecosystem, pointing to information showing a ample stock of applications relied connected akin configurations.

Kelp said it is moving its rsETH strategy to Chainlink’s cross-chain interoperability protocol, wherever transactions indispensable beryllium approved by aggregate autarkic validators alternatively of a azygous verifier.

"We're committed to moving with the KelpDAO squad connected improving the cross-chain information of rsETH and supporting their migration to Chainlink CCIP," Chainlink Chief Business Officer Johann Eid told Decrypt. "We person agelong believed that successful bid for DeFi to scope its afloat imaginable of bringing trillions onchain, the ecosystem needs to beryllium underpinned by highly unafraid infrastructure."

The interaction of the exploit of Kelp has extended beyond the method dispute. About $71 cardinal successful crypto linked to the exploit was frozen connected the Arbitrum network, triggering a legal fight successful a New York national court.

“There are questions that the ecosystem deserves answers to,” Kelp DAO wrote. “And we are ensuring rsETH is secured by infrastructure that doesn't permission these questions open.”

LayerZero did not instantly respond to a petition for remark by Decrypt.