Kelp DAO Abandons LayerZero Over $300M Exploit Concerns

Kelp DAO has announced its decision to migrate its cross-chain infrastructure to Chainlink's Cross-Chain Interoperability Protocol (CCIP). This move comes after a $300M exploit was linked to LayerZero, which Kelp claims resulted from vulnerabilities within the company's own infrastructure rather than protocol-level misconfiguration.

Kelp has pushed back against claims that its use of a 1-of-1 Decentralized Verifier Network (DVN) setup was responsible for the vulnerability. According to Kelp, this configuration is widely used across the LayerZero ecosystem and is even included in default documentation. In fact, public data suggests that nearly half of LayerZero-integrated applications operate under similar configurations.

The attack on LayerZero's infrastructure allowed attackers to manipulate RPC nodes and generate forged transaction attestations, leading to the minting of unbacked rsETH and extraction of funds across DeFi protocols. Kelp claims to have paused its contracts within an hour of detecting the attack and prevented additional losses exceeding $100 million.

Kelp has questioned inconsistencies in LayerZero's postmortem, particularly its characterization of the incident as an isolated configuration issue. The protocol has noted that LayerZero later restricted 1-of-1 DVN setups after the exploit, a move it says contradicts earlier guidance that such configurations were acceptable.

The shift to Chainlink's CCIP reflects a broader concern about cross-chain security and the need for more robust infrastructure. Kelp's migration is intended to secure user funds and rebuild trust in its platform.