Crypto Community Slams LayerZero: More Verifiers Won’t Stop The Next $290M Hack

LayerZero is going through heavy criticism for its response to the latest $290 million KelpDAO exploit after the omnichain interoperability protocol blamed Kelp’s 1-of-1 verifier configuration for the incident.

LayerZero Blames KelpDAO For $290M Exploit

Over the weekend, liquid restaking protocol KelpDAO was the sufferer of an assault that drained over $290 million in rsETH from the mission after malicious actors exploited a weak point within the protocol’s LayerZero-powered bridge.

Two days later, LayerZero addressed the incident, which grew to become the most important DeFi hack of 2026, simply weeks after Drift Protocol’s $285 million exploit shocked the trade.

LayerZero attributed the “extremely subtle assault” to North Korea’s Lazarus Group, claiming that it was a crypto infrastructure assault reasonably than a protocol exploit, and affirming that “there may be zero contagion to some other cross-chain property or purposes.”

They defined that the protocol is constructed on a “basis of modular, application-configurable safety,” utilizing Decentralized Verifier Networks (DVNs), unbiased entities accountable for verifying the integrity of cross-chain messages.

The malicious actors allegedly poisoned downstream RPC infrastructure by “compromising a quorum of the RPCs the LayerZero Labs DVN relied upon to confirm transactions.”

Per the put up, the attackers swapped binaries for a customized payload to forge messages and used DDoS assaults to drive failover to the poisoned nodes, triggering the DVN into confirming faux transactions.

Based on this, LayerZero placed accountability on KelpDAO for utilizing a 1-of-1 verifier configuration as a substitute of the multi-DVN suggestions: “This incident was remoted totally to KelpDAO’s rsETH configuration as a direct consequence of their single-DVN setup.”

Crypto Community Criticizes ‘Lack Of Accountability’

The crypto neighborhood reacted to the autopsy, sharing its concerns about LayerZero’s response and criticizing the protocol for putting all accountability solely on Kelp’s safety setup.

“Imagine constructing a bridge and autos pays to cross, the bridge collapsed and also you stated it’s their fault for crossing the bridge. A traditional clownery act from Bunch of clowns with zero accountability,” X person Saint wrote.

Others questioned why LayerZero included a “1-of-1” configuration if the aim of a DVN is customizable/modular safety. “If the system permits this feature, it’s not the fault of the shopper who selected it—it’s a basic design flaw by the system that permitted it,” person Ditto wrote.

“At the tip of the day, the actual fact stays that the DVN RPC was compromised. DVN is a LayerZero product, and they’re those who offered it to those groups,” he continued.

Similarly, Chainlink neighborhood supervisor Zach Rynes accused the protocol of deflecting accountability for the compromise of their very own DVN node.

He additionally criticized them for “throwing KelpDAO below the bus” for trusting LayerZero Labs’ setup that they “willingly assist and solely blocked after getting hacked, all whereas claiming the whole lot labored as designed.”

Meanwhile, Yearn Finance core workforce developer Artem Okay noted on X that the assault was described as a compromise of an RPC node and RPC poisoning, however that their very own infrastructure is what was compromised. “Given it doesn’t say how the breach has occurred, I wouldn’t rush re-enabling the bridges,” he added.

Wrong Diagnosis, Wrong Fix?

Analyst The Smart Ape additionally claims that LayerZero made the mistaken prognosis and provided the mistaken resolution. Notably, the protocol’s autopsy recommended migrating all purposes with 1-of-1 DVN configurations to multi-DVN setups to stop comparable assaults.

However, the analyst identified that multi-verifiers received’t cease the subsequent multi-million-dollar assault, asserting that they may fail as all DVNs learn chain states from the identical handful of RPC suppliers, that are principally clustered on AWS or GCP.

If 5 “unbiased” DVNs learn from the identical three RPC suppliers, an attacker who poisons these three RPCs will poison all 5 verifiers concurrently. “If all of your verifiers get fooled in the identical method on the identical time, the maths collapses again to 1-of-1. Five clones aren’t 5 witnesses,” he added.

To clear up this, the analyst recommended that each verifier runs its personal full node on totally different shopper software program, hosted on totally different cloud suppliers, maintained by totally different ops groups, peered with totally different subsets of the Ethereum community.

“The repair isn’t multi-anything. The repair is that verifiers ought to attest to their very own substrate, not simply to chain state. till you’ll be able to audit a DVN’s upstream topology, which RPC suppliers, which shopper software program, which clouds, which areas, ‘M-of-N secured’ is advertising copy for a property that hasn’t really been constructed. Lazarus didn’t break cryptography on April 18. They broke three servers,” he concluded.