LayerZero, Kelp DAO Engage in Dispute Over $290 Million rsETH Bridge Exploit

A recent $290 million rsETH bridge exploit has sparked a dispute between LayerZero and Kelp DAO.

The incident occurred when attackers drained 116,500 rsETH from Kelp's LayerZero-powered bridge after poisoning the servers used to verify transfers. The attack did not affect Kelp's core restaking contracts, but an emergency pause was implemented 46 minutes later, preventing additional losses.

Kelp plans to argue that the compromised DVN (Decentralized Validator Network) was LayerZero's own infrastructure, rather than a third-party verifier chosen by the protocol. According to Kelp, the backup servers were flooded with junk traffic, forcing the verifier onto the compromised nodes, which were built and run by LayerZero.

LayerZero has disputed this claim, stating that Kelp DAO chose a 1-of-1 DVN setup despite recommendations for multi-DVN redundancy. However, critics argue that LayerZero's own quickstart guide and default GitHub configuration point to the same 1/1 structure, used by 40% of protocols on LayerZero.

Security researchers have also pushed back against LayerZero's account, pointing out that its public deployment code uses single-source verification defaults across multiple blockchains and leaves a public endpoint exposed. They accuse LayerZero of deflecting responsibility and shifting the blame to Kelp DAO for trusting a setup supported by LayerZero itself.

In response, LayerZero has vowed to stop signing messages for any application using a single-verifier setup, which will force a broader migration across its network. The incident has highlighted issues with cross-chain security and infrastructure management, testing documentation, defaults, and accountability in the space.