KelpDAO Blames LayerZero for $300M Exploit, Moves to Chainlink CCIP

• KelpDAO says LayerZero’s own DVN infrastructure was breached on April 18, causing over $300M in DeFi losses.
  
• Independent researchers confirmed the attack originated inside LayerZero’s trust boundary, not from a Kelp configuration error.
  
• KelpDAO is migrating rsETH to Chainlink CCIP, citing Chainlink’s seven-year track record securing over $30 trillion in value.

KelpDAO has publicly challenged LayerZero’s account of an April 18 exploit that caused over $300 million in losses across DeFi. 

The protocol released a detailed post citing independent security researchers, internal communications, and on-chain data. 

KelpDAO maintains that LayerZero’s own infrastructure was breached, not a configuration error on Kelp’s part. 

The team has since announced a full migration to Chainlink’s Cross-Chain Interoperability Protocol (CCIP) for rsETH security.

LayerZero Infrastructure Breach Draws Independent Scrutiny

On April 18, 2026, attackers exploited LayerZero’s DVN infrastructure, draining over $300 million from DeFi protocols. 

KelpDAO detected two additional forged transactions totaling $100 million and paused its contracts before further damage occurred. 

LayerZero’s response, published over 34 hours later, attributed the incident to an RPC-spoofing attack. However, independent researchers from SEAL 911 and others concluded that the breach originated inside LayerZero’s own trust boundary.

One security researcher stated that the LayerZero attack was not RPC poisoning but rather an infrastructure breach within the perimeter. 

Another report noted that the sole required DVN was the Etherscan-labeled LayerZero DVN, which narrowed the likely fault domain significantly. 

SEAL 911’s assessment further confirmed that threat actors, linked to the DPRK with high confidence, fraudulently triggered an attestation from the LayerZero DVN.

Attackers compromised two RPC nodes used by LayerZero’s DVN, then executed a DDoS on remaining nodes. This forced DVN signers to validate a non-existent transaction. 

LayerZero’s own postmortem acknowledged that attackers accessed its DVN’s RPC lists and swapped node binaries, stating: “the attacker was able to gain access to the list of RPCs our DVN uses, compromise two of them…and swap out binaries running the op-geth nodes.”

Further, Dune analytics data showed that roughly 47% of LayerZero OApp contracts used a 1-1 DVN setup. Over 90% of all LayerZero messages in the prior 90 days relied on the LayerZero Labs DVN. 

This directly contradicted a December 2024 statement from LayerZero’s Bryan, who claimed no application was using a 1-1 LayerZero DVN setup at the time rsETH held approximately $200 million in TVL under that exact configuration.

KelpDAO Cites Approved Configurations and Moves to Chainlink

KelpDAO stated that its 1-1 DVN setup was explicitly approved by a LayerZero Labs team member over Telegram. 

Over 2.5 years and eight documented integration discussions, LayerZero never flagged this configuration as a security risk. The team also noted that LayerZero’s own quickstart documentation still defaults to a 1-1 setup, with no optional DVN configured.

Researchers also flagged that LayerZero’s default Gasolina AWS deployment exposed a public gateway with no IAM authentication, WAF, or IP allowlists. 

One report noted that “quorum is explicitly set to 1,” meaning backup RPCs served only as failover rather than providing multi-provider consensus. 

Another researcher observed that “RPCs are mostly public endpoints,” confirming the reference deployment did not use multiple providers to reach consensus.

The protocol has now begun migrating rsETH to Chainlink CCIP and its Cross-Chain Token standard. Chainlink’s oracle network has facilitated over $30 trillion in value over seven-plus years. 

KelpDAO noted that Chainlink remained fully operational across multiple global outages, making it a more dependable infrastructure choice going forward.

KelpDAO also raised concerns about shared administrative roles between the LayerZero Labs DVN and the Nethermind DVN. 

Ten overlapping addresses held ADMIN_ROLE on both contracts as of April 8. The team argued this overlap puts into question whether the DVNs truly operate independently. 

A full forensic report will follow once the review concludes, with securing user assets remaining the team’s immediate priority.

The post KelpDAO Blames LayerZero for $300M Exploit, Moves to Chainlink CCIP appeared first on Live Bitcoin News.