LayerZero Admits “Mistake” in $292M Kelp DAO Exploit: A Major Pivot in DeFi Security
In a significant turn of events, LayerZero has officially shifted its stance regarding the $292 million Kelp DAO exploit that rocked the ecosystem on April 18, 2026.
Initially, the narrative focused on "developer configuration" errors. However, LayerZero now admits it "owns" the decision to allow its own verifier (DVN) to secure high-value transfers in a vulnerable 1-of-1 setup.
🔍 What Happened?
The exploit was a sophisticated attack by the Lazarus Group (TraderTraitor) targeting off-chain infrastructure rather than smart contract code.
> The Vector: Attackers poisoned two internal RPC nodes and DDoS'd external ones.
> The Result: The LayerZero DVN was "tricked" into verifying a non-existent token burn on Unichain.
> The Damage: Approximately 116,500 $rsETH was drained from the Ethereum bridge.
🛡️ The Policy Shift
LayerZero has acknowledged that relying on a single verifier for massive value was a risk they "simply didn't see." In response, they are implementing major changes:
1- No More 1/1 Setups: The LayerZero Labs DVN will no longer support single-verifier configurations.
2- Mandatory Redundancy: Default settings are migrating to a minimum of 3 to 5 verifiers to ensure decentralized consensus.
3- DeFi Recovery: LayerZero has contributed 10,000 $ETH toward recovery efforts, helping to stabilize the bad debt left on protocols like $AAVE .
While the protocol itself functioned as designed, this incident highlights that operational security is just as critical as the code itself.