Kelp DAO claims a basic, single-validator configuration on LayerZero contributed to a $290 million hack of the rsETH bridge, leading to disputes and a hurried effort to improve security.
Summary
- Kelp DAO disputes LayerZero’s post‑mortem on the $290m rsETH bridge hack, saying a risky 1/1 validator setup was LayerZero’s own default
- The exploit drained 116,500 rsETH, around $290–$293m and roughly 18% of rsETH’s supply, in what analysts call 2026’s largest DeFi loss so far
- LayerZero now says it will stop signing messages for any app using a single‑validator DVN and force a migration to multi‑verifier security
Kelp DAO disputes LayerZero’s account of a $290 million bridge hack, claiming the vulnerability – which allowed an attacker to steal 116,500 rsETH – wasn’t due to risky settings, but rather how LayerZero originally instructed users to set up the system.
A liquidity restaking protocol explained to CoinDesk that the unique Decentralized Verifier Network (DVN) used for its rsETH cross-chain transfers operated using standard settings from LayerZero. They also clarified that the validator system targeted by the attacker belonged to LayerZero itself, not an external, unverified provider.
On April 18th, an attack occurred resulting in the creation and transfer of 116,500 rsETH – approximately 18% of the total supply – to an address controlled by the attacker. This resulted in losses of around $290 to $293 million, making it the largest financial exploit in the decentralized finance (DeFi) space so far this year.
Single‑validator blame game after rsETH exploit
LayerZero maintains that its protocol functioned as intended, and attributes the recent issue to Kelp DAO’s use of a vulnerable system—a ‘single point of failure’—when deploying a token with over $1 billion locked in it. Their investigation report and subsequent comments emphasize that the problem wasn’t with LayerZero’s technology itself.
As a researcher investigating this issue, I found that the system’s design, with a single point of failure, meant there was no built-in safeguard to detect and block fraudulent messages. We had previously advised Kelp DAO and our other collaborators on the importance of diversifying their Data Verification Network (DVN) to prevent this kind of vulnerability, outlining what we considered best practices.
Security experts, including Yu Xian from SlowMist, have discovered a weakness in the rsETH bridge. It relied on a single signature for authorization – instead of requiring multiple approvals – making it vulnerable to attack. This “single point of failure” may have been exploited through tricking someone into signing off on a malicious transaction.
According to a report from DeFiPrime, LayerZero’s system allows apps to decide how many approvals are needed to confirm a transaction, with most high-value apps using either 2 out of 3 or 3 out of 5 approvals. However, the report found that Kelp’s setup only required approval from a single source controlled by LayerZero Labs.
The design flaw meant a single, falsified approval could make a message appear legitimate across different blockchains. This allowed the attacker to trick the bridge into thinking a valid message came from another chain, resulting in the unauthorized release of 116,500 rsETH to their account, essentially creating funds from nothing.
The Kelp DAO team argues they used publicly available code and standard settings from LayerZero across different networks. They also state the vulnerability that was exploited was actually controlled by LayerZero, suggesting LayerZero shares responsibility for the issue, not just the application itself.
LayerZero is now taking a significant step to improve security. They’ve announced they will no longer support applications that rely on just one validator, and are requiring all developers to upgrade their systems to use multiple validators if they want to continue using the LayerZero protocol. This upgrade is being called a “security migration.”
The fallout goes well beyond one re‑staking token.
As we previously reported at crypto.news regarding the rsETH hack and LayerZero’s claim that North Korea’s Lazarus Group was responsible, the event has sparked a larger discussion about how cross-chain bridges are built, their standard settings, and who is accountable when these complex systems fail.
You can strengthen your writing by linking to our related crypto news stories. These include reports on the Kelp DAO–LayerZero hack and who was behind it (Lazarus Group), breakdowns of previous cross-chain bridge attacks, and explanations of how restaking and liquid staking can increase the risk of smart contract failures across different blockchains.
Read More
- Silver Rate Forecast
- Brent Oil Forecast
- Gold Rate Forecast
- XRP’s ETF Waltz: $1.2B Inflows, Yet Price Does the Limbo at $1.30
- Bhutan Dumps Bitcoin: The Tiny Nation’s Big Cash-Out!
- Mnemonic Mishaps: South Korea’s Tax Agency Seeks Crypto Custodians with a Dash of Decorum
- US and Iran in Pakistan: Crypto’s Wild Ride on a Prayer and a Fragile Peace Deal!
- BTC PREDICTION. BTC cryptocurrency
- Stablecoins, RWAs, and the Crypto Industry’s Midlife Crisis
- Binance Coin Skyrockets: Will It Reach $1000 Before Hyper’s Explosive Rise?
2026-04-20 20:01