LayerZero Admits Critical Design Flaw After $292M Exploit
April 21, 2025 – LayerZero, the cross-chain messaging protocol, publicly acknowledged on Thursday that its own validator node acted as the sole verifier for high-value transactions on the Kelp DAO rsETH bridge, a configuration it now admits was a critical error. The admission comes three days after an exploit drained approximately $292 million from the bridge.
“We failed to enforce the decentralized validation model that users trusted,” said a LayerZero spokesperson in a prepared statement. “Permitting a single LayerZero-operated DVN to secure such large transfers was a mistake, and we apologize to the Kelp DAO community and all affected users.”
Background: The 1/1 DVN Setup
LayerZero’s security model relies on Decentralized Verifier Networks (DVNs) to confirm cross-chain messages. Ideally, multiple independent DVNs validate each transaction – a so-called “1-of-N” or “M-of-N” scheme. However, in the Kelp DAO rsETH bridge, only one DVN was active: a validator owned and operated by LayerZero itself.
This 1/1 setup created a single point of failure. On April 18, an attacker compromised the LayerZero-operated DVN, forging verification messages that allowed the theft of $292 million in rsETH tokens. Kelp DAO’s bridge relies on LayerZero to relay transfer requests between Ethereum and other chains.
Exploit Details and Immediate Fallout
The attack exploited a vulnerability in the message-passing logic between the DVN and the bridge smart contracts. With only one verifier, the attacker needed to control just that single node to approve malicious withdrawals.
Blockchain security firm BlockSec told The Defiant, “This incident highlights the danger of centralized validation in supposedly decentralized bridges. LayerZero’s own node became the chokepoint.” Kelp DAO has paused all bridge operations pending a security review.
LayerZero’s Blog Post and Apology
In a blog post titled “Lessons from the Kelp Incident,” LayerZero detailed the design oversight. “We should not have operated as the sole DVN for any bridge, let alone one handling billions in value,” the post reads. The company pledged to enforce a minimum of three independent DVNs for all high-value route deployments moving forward.
Security researcher and pseudonymous analyst “defi_butter” noted, “LayerZero’s reputation takes a hit, but their transparency is a step in the right direction. Many protocols would have quietly patched the hole.”
What This Means for Cross-Chain Security
The incident reveals a dangerous gap between protocol governance and operational reality. While LayerZero advertises a multi-verifier system in documentation, actual deployments can be configured with only one validator – defeating the purpose of decentralization.
Legal expert Sarah Chen, partner at Blockchain Law Group, commented, “If LayerZero or its affiliates exercised control over the sole DVN, liability questions arise. Investors may have grounds to argue that the protocol misrepresented its security guarantees.”
For the broader DeFi ecosystem, the hack serves as a warning: Trusted setups under a single entity’s control are indistinguishable from centralized custodians. Multiple independent validators are not optional – they are essential for the security bridge users expect.
Kelp DAO Response and Recovery Efforts
Kelp DAO has engaged forensic auditors to trace the stolen funds. The DAO’s governance forum is debating whether to pursue legal action against LayerZero or seek compensation through insurance providers. “We are committed to making affected users whole,” a Kelp DAO core contributor said, “but the path depends on full cooperation from LayerZero.”
The $292 million loss is one of the largest DeFi exploits of 2025. Markets reacted quickly, with rsETH trading at a 40% discount to its underlying assets as liquidity pools drained. Analysts expect a prolonged recovery period.
LayerZero’s Corrective Measures
On Wednesday, LayerZero implemented an emergency update to its bridge deployment tooling. All new routes now require at least three DVN signers from distinct entities. Additionally, LayerZero is auditing all existing deployments to flag any that rely on a single validator.
“We are rolling out a mandatory multi-DVN requirement in the next protocol upgrade,” the spokesperson said. “Audits of active bridges will be completed within two weeks.”
This article has been updated with additional expert commentary. Read the original report from The Defiant here.