Kelp DAO is pushing back against claims from LayerZero following the massive $292 million exploit, arguing that the root cause of the attack lies in the cross-chain infrastructure itself rather than its own protocol design. The dispute comes after one of the largest DeFi hacks of the year, where attackers drained over 116,000 rsETH tokensthrough a compromised bridge connected to LayerZero’s messaging system.
Kelp DAO Challenges LayerZero’s Explanation
In response to LayerZero’s post-mortem, which blamed Kelp’s configuration choices, Kelp DAO stated that the setup under scrutiny was actually based on LayerZero’s own default framework and documentation. According to Kelp, the criticized “1-of-1 verifier configuration” was not an unusual or risky customization, but rather something widely used across the ecosystem and aligned with LayerZero’s reference setup. This directly contradicts LayerZero’s position that Kelp ignored best practices and created a single point of failure.
LayerZero Blames Kelp’s Configuration Decisions
On the other side, LayerZero maintains that the exploit was not a failure of its core protocol, but a result of how Kelp DAO configured its security model. The company pointed to Kelp’s reliance on a single verifier system, which allowed attackers to forge cross-chain messages and withdraw funds without sufficient validation. LayerZero emphasized that it had previously recommended using multiple verification layers to reduce this exact type of risk.
Cross Chain Infrastructure at the Center of the Attack
The exploit itself targeted the bridge connecting blockchains, not Kelp’s core restaking contracts. Attackers were able to manipulate verification data and mint unbacked rsETH tokens, which were then used across DeFi platforms to extract real liquidity. This highlights a critical shift in crypto security. The vulnerability was not in the application logic, but in the infrastructure that connects ecosystems.
Blame Battle Reflects Larger Industry Risk
The ongoing dispute between Kelp DAO and LayerZero is now part of a broader conversation across DeFi. Both sides are effectively arguing over responsibility:
- Kelp DAO claims it followed default configurations and guidance
- LayerZero claims the issue came from how those configurations were implemented
- Neither side accepts full responsibility for the exploit
Meanwhile, protocols like Aave are dealing with the consequences, including potential bad debt and liquidity stress tied to the incident.
