[ND MAGAZINE] LayerZero Issues Official Apology for $292 Million Kelp DAO Exploit Response... Admits Fault in Single-Verifier Configuration

On May 9, 2026, LayerZero Labs admitted negligence in its response to the $292 million Kelp DAO exploit and issued an official apology. This marks a complete reversal from its initial defensive stance, which blamed application configuration errors, and serves as a formal admission of failure in single-verifier configuration and internal infrastructure management.

This apology concludes the public conflict between LayerZero and Kelp DAO that has persisted for several weeks. Kelp DAO had previously criticized LayerZero's evasion of responsibility and announced on May 5, 2026, that it would migrate its services to competitor Chainlink's CCIP.

In a statement on May 9, 2026, LayerZero admitted to mistakes made during the Decentralized Verifier Network (DVN) configuration process and revealed that a failure in its internal RPC infrastructure was a decisive factor in the exploit. The company expressed deep regret for causing confusion among users by emphasizing the lack of protocol defects during the initial response.

"We committed clear errors in our response to the Kelp DAO incident and failed to adequately manage the risks of a single-verifier configuration. We take full responsibility for the exposure of internal infrastructure vulnerabilities to the attacker."

The incident dates back to the theft of 116,500 rsETH on April 18, 2026. At the time, the attacker seized assets worth approximately $292 million, and security experts identified the North Korean hacking organization, Lazarus Group, as the mastermind behind the attack.

The Reality of Single-Verifier Vulnerabilities and Technical Flaws

According to technical analysis, Kelp DAO's rsETH adapter was configured to accept messages from only a single verifier. The attacker struck LayerZero's internal RPC infrastructure while simultaneously launching Distributed Denial of Service (DDoS) attacks on external RPC providers to paralyze the system, allowing fraudulent messages to pass through without verification.

• Configuration error in the rsETH adapter's 1-of-1 Decentralized Verifier Network (DVN)
• Simultaneous precision strikes on internal RPC infrastructure and DDoS attacks on external services
• Poor initial response that dismissed the issue as an application-layer configuration problem

In the apology, LayerZero disclosed previously unreported internal operational lapses. It was revealed that one of the multisig signers used an operational hardware wallet for personal transactions, cited as an example of lax operational security management across the team.

In the wake of the exploit, the DeFi lending protocol Aave suffered a significant blow. While Aave clarified that there were no defects in its smart contracts, it is estimated that bad debt ranging from $177 million to $290 million was generated due to the value fluctuations of the stolen assets.

LayerZero's governance token, ZRO, has shown significant volatility as market uncertainty grew following the exploit. After plunging about 20% immediately after the incident on April 18, 2026, the ZRO price is currently testing a major support level around $1.35, with investors watching to see if this apology can serve as momentum for a price recovery.

This incident serves as a reminder of how crucial operational transparency and responsible response are for cross-chain bridge protocols, in addition to technical perfection. While LayerZero's belated admission of fault and apology is a first step toward restoring trust, rebuilding the ecosystem's confidence, once shattered, is expected to require significant time and effort.

Across the DeFi industry, there are growing calls to strengthen security standards for cross-chain messaging in light of this case. In particular, mandating multi-verification structures to prevent a Single Point of Failure and strict audits of infrastructure providers' operational security are expected to become key criteria for future project selection.