KelpDAO Slams Layerzero After $300M Exploit, Shifts rsETH to Chainlink CCIP

The Dispute Over Network Configuration

KelpDAO has issued a blistering effect to Layerzero Labs pursuing an April 18 exploit that drained much than $300 cardinal successful DeFi assets, chiefly successful the signifier of rsETH. In a nationalist connection that contradicts Layerzero’s authoritative post-mortem, KelpDAO alleges the span supplier is “blaming users” for a systemic nonaccomplishment successful its ain halfway infrastructure.

The exploit, which has been linked with precocious assurance to the Lazarus Group, resulted successful the fraudulent minting and merchandise of assets. While KelpDAO managed to artifact an further $100 cardinal successful forged transactions by pausing contracts, the fallout has triggered a monolithic displacement successful the DeFi landscape. KelpDAO subsequently announced an contiguous migration to Chainlink CCIP.

The cardinal quality lies successful the origin of the breach. Layerzero’s post-mortem framed the incidental arsenic a “KelpDAO configuration issue,” specifically targeting Kelp’s usage of a 1-of-1 decentralized verifier web (DVN) setup wherever Layerzero Labs was the sole validator. However, KelpDAO has fired back, citing Dune investigation showing that 47% of Layerzero OApp contracts—more than 1,200 applications—utilize the aforesaid 1-1 DVN “security floor.”

Kelp points retired that Layerzero’s ain OFT quickstart usher and default templates urge the 1-1 setup with Layerzero Labs arsenic the sole required DVN. The task besides shared screenshots of Telegram conversations purportedly showing Layerzero squad members assuring Kelp that “defaults were fine” during 8 abstracted integration discussions implicit 2 years.

In a post connected X mounting the grounds straight, Kelp broke down what Layerzero admits to and what it conveniently ignores successful its post-mortem. According to the post, Layerzero admitted that attackers gained entree to the database of RPCs its DVN uses and confirmed that 2 autarkic nodes were compromised and binaries were swapped. Furthermore, Kelp cites Layerzero’s banning of 1-1 configurations aft the $300 cardinal nonaccomplishment arsenic different signifier of admission.

However, according to Kelp, the post-mortem ignored that Layerzero’s ain documentation pushed developers toward the susceptible 1-1 setup. It besides fails to explicate wherefore Layerzero’s monitoring systems failed to observe the hack, leaving Kelp to emblem the issue.

“The elemental truth: LayerZero blamed their users for an contented that was caused by their ain infrastructure failure,” KelpDAO asserted successful the post.

To enactment its conclusion, Kelp cited autarkic reviews that surfaced respective captious vulnerabilities allegedly contiguous astatine the clip of the attack. These see findings that the default deployment exposed nationalist gateways stripped of communal information measures similar WAF oregon IP allowlists. A reappraisal by Chainalysis determined that Layerzero acceptable a debased 1-1 RPC quorum default, meaning if 1 node was poisoned, the DVN signed the forged connection without cross-checking others.

To show its nonaccomplishment of assurance successful Layerzero, Kelp said it is transitioning rsETH from the Layerzero OFT modular to Chainlink’s Cross-Chain Token (CCT) standard.

“Our number-one precedence remains the information of our users’ assets,” KelpDAO noted, citing Chainlink’s seven-year way grounds and its unafraid decentralized oracle network.