LayerZero issued a public apology Friday for its handling of the fallout from the April 18 exploit that drained roughly $292 million in rsETH from Kelp DAO's cross-chain bridge, marking a notable tonal shift from its earlier post-mortem that characterized the protocol as having "functioned exactly as intended."
"We've done a terrible job on comms over the past three weeks," LayerZero wrote in the blog post, also cross-posted to X. "We wanted to prioritize completeness in the form of a comprehensive post-mortem, but we should have led with directness."
The protocol said its internal RPC nodes, which its Decentralized Verifier Network (DVN) relied on to read source-chain state, were compromised by North Korea's Lazarus Group. The attackers poisoned those nodes' data feeds while simultaneously launching a DDoS attack against LayerZero's external RPC providers, forcing the DVN to fall over to compromised infrastructure and sign off on transactions that never actually occurred. LayerZero had earlier attributed the attack to the Lazarus subgroup known as TraderTraitor.
The post acknowledged a point that LayerZero had previously resisted: it should not have allowed its DVN to serve as the sole verifier for high-value transactions. "We believe developers should choose their own security configurations, but we made a mistake by allowing our DVN to act as a 1/1 DVN for high-value transactions," the company wrote. "We didn't police what our DVN was securing, which created a risk we simply didn't see."
That framing represents a significant concession. LayerZero's initial incident statement placed blame squarely on Kelp DAO's configuration choices, describing the 1-of-1 DVN setup as a decision Kelp made against guidance.
Kelp DAO publicly disputed that account, pointing to LayerZero's own documentation, quickstart guides, and developer examples as evidence that the single-verifier setup was the platform's default onboarding recommendation. A Dune analysis cited by Kelp found that 47% of approximately 2,665 active LayerZero OApp contracts were running the same configuration at the time of the attack.
LayerZero said the exploit affected a single application, representing roughly 0.14% of total applications on the network and about 0.36% of the value of assets using LayerZero. It added that more than $9 billion has moved across the protocol since April 19.
The blog post also revealed a previously unreported operational security incident. Roughly three and a half years ago, one of LayerZero's multisig signers used their production hardware wallet to execute a personal trade, intending to use a separate personal device. LayerZero said the signer was removed from the multisig, wallets were rotated, and the company has since added anomaly detection software to each signing device.
The disclosure arrives amid separate, ongoing scrutiny over the operational security of LayerZero's multisig signers. Onchain researchers and security figures including Chainlink community liaison Zach Rynes had flagged evidence that production multisig keys were used for unrelated DEX activity, including what appeared to be a swap for the memecoin McPepes on Uniswap. LayerZero CEO Bryan Pellegrino said the transactions were OFT testing by former signers who have since been removed.
LayerZero outlined a set of changes it has made since the exploit. The LayerZero Labs DVN no longer services 1/1 DVN configurations. Default settings on all pathways are being migrated to require at least five verifiers where possible, with a floor of three on chains where only three DVNs are available. The company is also building a second DVN client written in Rust for client diversity and has reconfigured its RPC setup to allow more granular quorum controls across internal and external node providers.
On the infrastructure side, LayerZero said it plans to raise its own multisig threshold from 3-of-5 to 7-of-10 using OneSig, an open-source multisig tool the company introduced last year. OneSig allows signers to download transactions and hash them locally before signing, preventing the backend from inserting unauthorized transactions. LayerZero also said it is building a platform called Console for asset issuers to configure and monitor security settings, with built-in anomaly detection for flagging risky configurations.
The apology comes at a difficult moment for LayerZero. Two major protocols have migrated their cross-chain infrastructure to Chainlink's CCIP in the weeks since the exploit. Kelp DAO announced its departure earlier this week, becoming the first major protocol to leave LayerZero since the hack. Solv Protocol followed, announcing it would move more than $700 million in tokenized bitcoin off LayerZero, citing security concerns.
Meanwhile, the DeFi United recovery initiative formed in the wake of the exploit has raised more than $300 million in ETH and stablecoins. LayerZero contributed 10,000 ETH, split between a 5,000 ETH donation and a 5,000 ETH loan to Aave, which faces an estimated $124 million to $230 million in bad debt from the incident. The Arbitrum DAO voted to release 30,766 frozen ETH to the recovery effort, and a judge on Friday allowed the transfer to continue despite a restraining notice from North Korea terrorism victims and creditors.
LayerZero said an official post-mortem will follow once its external security partners conclude their work.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2026 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
