Kelp DAO Pushes Back on LayerZero's Postmortem, Says Default 1-of-1 Setup Enabled $290M Bridge Hack

Kelp DAO is preparing to challenge LayerZero's account of Sunday's roughly $290 million exploit, arguing the crosschain messaging provider is misplacing blame, according to a person familiar with the matter. In a memo reviewed and verified by CoinDesk that Kelp plans to publish, the liquid restaking protocol disputes LayerZero's claim that Kelp ignored repeated warnings to move away from a single-verifier configuration. Kelp routes user-deposited ether through EigenLayer to generate yield and issues a receipt token, rsETH. LayerZero provides the messaging and verification rails used to move rsETH between blockchains, relying on decentralized verifier networks (DVNs) to confirm whether crosschain transfers are valid. On Saturday, attackers drained 116,500 rsETH, valued at about $290 million, from Kelp's LayerZero-powered bridge. The attacker allegedly "poisoned" the servers a LayerZero verifier depended on for transaction checks. Kelp plans to argue the compromised DVN was LayerZero's own infrastructure, not an external third-party verifier, calling it a "sophisticated state-sponsored attack." The source said attackers breached two LayerZero-operated servers responsible for validating crosschain transactions, then overwhelmed backup servers with junk traffic to force the verifier to rely on the compromised machines. Kelp did not build or operate that infrastructure, the source added. Kelp also contests LayerZero's portrayal of the "1/1 configuration" as an outlier decision taken against explicit guidance. LayerZero's postmortem said Kelp chose a 1-of-1 DVN setup despite recommendations to use multi-DVN redundancy. A 1-of-1 configuration requires only one validator signature for a bridge to execute a crosschain message, creating a single point of failure. Multi-validator setups such as 2/3 or 3/5 reduce the risk that one compromised verifier can approve a forged instruction. According to the source, Kelp has maintained a direct communications channel with LayerZero since July 2024, but did not receive a specific recommendation to change the rsETH DVN configuration. The source said LayerZero's own quickstart guide and default GitHub configuration point to a 1/1 DVN setup, and estimated about 40% of LayerZero-based protocols currently run the same configuration. The configuration Kelp used also appears in LayerZero's V2 OApp Quickstart, the source said, where the sample layerzero.config.ts sets each pathway with one required DVN and no optional DVNs, mirroring a 1/1 structure. Kelp said its core restaking contracts were not affected and the incident was contained to the bridge layer. The protocol's emergency pause, triggered 46 minutes after the drain, blocked two follow-on attempts that could have released roughly another $200 million in rsETH. CoinDesk contacted LayerZero for comment but had not received a response by publication. Criticism of LayerZero's framing has also surfaced publicly. Yearn Finance core developer Artem K ("@banteg" on X) reviewed LayerZero's public deployment code and said the reference setup ships with single-source verification defaults across major chains including Ethereum, BSC, Polygon, Arbitrum and Optimism. He also noted the deployment exposes a public endpoint that can leak the list of configured servers to anyone who queries it. Banteg said he cannot confirm which configuration Kelp used, but added that LayerZero typically asks new operators to start from its default setup—the same approach criticized in the postmortem. Chainlink community manager Zach Rynes echoed the criticism on X, alleging LayerZero was "deflecting responsibility" for compromised infrastructure and faulting the company for blaming Kelp after Kelp relied on LayerZero-supported defaults. LayerZero has said it will no longer sign messages for any application running a single-verifier configuration, pushing protocols toward a network-wide migration.