LayerZero Apologizes for Kelp DAO Exploit Response and Admits Security Mistake

LayerZero has issued a public apology over its handling of the $292 million Kelp DAO exploit, acknowledging communication failures and admitting that a key security setup should never have been allowed for high-value transactions.

LayerZero Accepts Responsibility After Kelp DAO Exploit

In a public statement released three weeks after the April 18 attack, LayerZero admitted it failed to communicate clearly during the crisis and should have responded more directly.

The exploit drained approximately $292 million in rsETH from Kelp DAO’s cross-chain bridge. Initially, LayerZero said the protocol had worked as intended and placed responsibility on Kelp DAO’s configuration choices. However, the company has now acknowledged mistakes in its own system design.

LayerZero admitted it should not have allowed its Decentralized Verifier Network (DVN) to operate as a single verifier, known as a 1/1 setup, for high-value transactions.

Lazarus Group Blamed for Attack

The company attributed the exploit to North Korea-linked Lazarus Group hackers, claiming attackers compromised internal RPC nodes while launching distributed denial-of-service attacks against external infrastructure.

According to LayerZero, the attackers manipulated blockchain data feeds, allowing fraudulent cross-chain messages to appear valid.

Security Changes Introduced After Hack

Following the exploit, LayerZero announced several security upgrades. The platform will no longer support single-verifier configurations and plans to require at least three to five independent verifiers across pathways.

The company is also increasing multisig security requirements, improving monitoring systems, and building additional verifier clients to reduce infrastructure risks.

The incident has already affected confidence in the protocol, with major projects including Kelp DAO and Solv Protocol recently moving parts of their cross-chain infrastructure elsewhere over security concerns.