Kelp DAO Challenges LayerZero Over $290 Million Bridge Exploit Defaults

Kelp DAO is pushing back against claims made by cross-chain messaging provider LayerZero following a $290 million exploit that drained 116,500 rsETH from its bridge. While LayerZero's initial post-mortem blamed Kelp for utilizing a '1/1 configuration'—a setup where a single validator can approve transactions—Kelp asserts that this configuration is the default provided in LayerZero's own documentation and GitHub guides. The exploit occurred when attackers compromised two of LayerZero's servers and flooded backup systems with junk traffic, forcing the verifier onto the compromised nodes. Kelp claims the breach was the result of a sophisticated state-sponsored attack targeting LayerZero's internal infrastructure rather than a third-party verifier, contradicting LayerZero's framing of the event. Technical analysis from industry developers suggests the vulnerability may be widespread. Reports indicate that LayerZero's reference setup ships with single-source verification defaults across major chains, including Ethereum, Polygon, and Arbitrum. This has raised alarms across the DeFi sector, as an estimated 40% of protocols integrated with LayerZero may be using the same vulnerable configuration. Despite the initial loss, Kelp's emergency pause, triggered 46 minutes after the drain began, successfully blocked subsequent attempts to steal an additional $200 million in rsETH. The protocol noted that its core restaking contracts remained untouched, with the damage isolated to the bridge layer.