coin-img-ETHETH+0.56%coin-img-BTCBTC+1.01%coin-img-SOLSOL+1.05%coin-img-XRPXRP+0.10%coin-img-LIBBYLIBBY+1,566.67%coin-img-INTEINTE-37.30%coin-img-USDCUSDC+0.00%coin-img-TONCOINTONCOIN-7.27%coin-img-ETHETH+0.56%coin-img-BTCBTC+1.01%coin-img-SOLSOL+1.05%coin-img-XRPXRP+0.10%coin-img-LIBBYLIBBY+1,566.67%coin-img-INTEINTE-37.30%coin-img-USDCUSDC+0.00%coin-img-TONCOINTONCOIN-7.27%coin-img-ETHETH+0.56%coin-img-BTCBTC+1.01%coin-img-SOLSOL+1.05%coin-img-XRPXRP+0.10%coin-img-LIBBYLIBBY+1,566.67%coin-img-INTEINTE-37.30%coin-img-USDCUSDC+0.00%coin-img-TONCOINTONCOIN-7.27%coin-img-ETHETH+0.56%coin-img-BTCBTC+1.01%coin-img-SOLSOL+1.05%coin-img-XRPXRP+0.10%coin-img-LIBBYLIBBY+1,566.67%coin-img-INTEINTE-37.30%coin-img-USDCUSDC+0.00%coin-img-TONCOINTONCOIN-7.27%

LayerZero Admits Fault in $292M Kelp DAO Exploit

LayerZero said late Friday U.S. time that it "made a mistake" by allowing its own validation infrastructure to safeguard high-value crypto assets under a vulnerable setup, a notable change in tone after weeks of pointing to developer error. Kelp DAO lost $292 million in an incident linked to North Korean attackers. The admission follows a prolonged public dispute between LayerZero and Kelp, after LayerZero initially said the April exploit stemmed from a configuration issue in Kelp's application layer. In a blog post published Friday, LayerZero wrote: "First, I want to offer a belated apology." LayerZero had previously argued that Kelp chose an unusually risky "1-to-1" configuration, where only a single decentralized verification network (DVN) is needed to approve cross-chain transfers, creating a single point of failure. DVNs are part of the infrastructure used to validate transactions moving assets between blockchains. The company said: "We made a mistake by allowing our DVN to be used as a one-to-one DVN for high-value transactions. We did not regulate the content protected by the DVN, which created risks we failed to anticipate. We take full responsibility for this." LayerZero Labs said its DVN will no longer support the 1/1 configuration. It also plans to migrate default configurations across paths to 5/5 where possible; on chains with only three DVNs available, defaults will be migrated to at least 3/3. Cross-chain bridges, which connect otherwise separate blockchain networks, have long been among the most frequently exploited parts of crypto infrastructure. LayerZero maintained that its underlying protocol was not compromised and reiterated that developers ultimately decide their own security assumptions. The company said the protocol itself was unaffected, attributing the incident to an attack on the internal RPC infrastructure used by the LayerZero Labs DVN, while external RPC providers also faced distributed denial-of-service attacks. LayerZero also disclosed that three and a half years ago a signer on its multisig initiated a personal transaction using the multisig hardware wallet, intending to transfer funds to a personal hardware wallet. "This is clearly unacceptable," the company said. It removed the signer, rotated the wallet, added local anomaly detection software to devices, and created a custom multisignature system called OneSig. Rivals including Chainlink are seeking to capitalize on the fallout as protocols reassess security providers. Kelp DAO has moved the rsETH bridge to Chainlink's competitor cross-chain interoperability protocol. Solv Protocol said this week that, after its latest security audit, it is migrating more than $700 million in tokenized Bitcoin infrastructure away from LayerZero.
Selected
BTC
BTC+1.04%
ETH
ETH+0.56%
Disclaimer: The content above is only the author's opinion and does not represent BingX’s stance. It shall not be construed as investment advice from BingX. For details, refer to the Terms and Conditions.