LayerZero Acknowledges Security Configuration Error in $292M Kelp DAO Exploit Tied to North Korean Attackers

U.S. time on May 9, 2026 admitting it made a mistake after initially framing a $292 million exploit as a developer configuration failure by Kelp DAO. The company reversed weeks of blaming Kelp for the April 2026 hack tied to North Korean attackers.

LayerZero CEO Bryan Pellegrino's firm said its protocol was not compromised. "First things first: an overdue apology," LayerZero wrote in the blog. The company acknowledged it made a mistake by allowing its own verifier network to secure high-value assets in a risky configuration.

"We made a mistake by allowing our DVN to act as a 1/1 DVN for high-value transactions," it stated. "We didn't police what our DVN was securing, which created a risk we simply didn't see. " The exploit was an attack on internal RPC infrastructure used by the LayerZero Labs DVN.

External RPC providers were hit with distributed denial-of-service attacks at the same time. LayerZero had initially framed the exploit as a developer configuration failure by Kelp, which chose a 1-of-1 configuration using only a single decentralized verifier network. A DVN is part of the infrastructure that verifies whether a transaction moving assets between blockchains is legitimate.

Cross-chain bridges act like digital transfer rails between otherwise separate blockchain networks. LayerZero maintained that developers remain responsible for their own security settings even as it accepted responsibility for not restricting its DVN. In response, the LayerZero Labs DVN will no longer service 1/1 DVN configurations.

All defaults on all pathways are being migrated to 5/5 where possible and no less than 3/3 on any chain where only 3 DVNs are available. The changes follow the company's admission three and a half years after an earlier internal security lapse. Three and a half years ago one of LayerZero's signers on its multisig used their multisig hardware wallet to perform a personal trade.

"This is obviously not ok," LayerZero stated. The signer was removed from the multisig, wallets were rotated after the multisig signer incident, and the company updated its security practices around signing devices, added localized anomaly detection software on each device, and created a custom-built multisig called OneSig.

The fallout from the April 2026 hack has driven major clients to rivals. Kelp shifted its rsETH bridge to Chainlink’s Cross-Chain Interoperability Protocol. Solv Protocol is migrating more than $700 million in tokenized bitcoin infrastructure away from LayerZero following a fresh security review.

CoinDesk reported that the admission marks a notable shift after weeks of public finger-pointing between LayerZero and Kelp over responsibility for the hack. LayerZero had argued the protocol had chosen a risky “1-of-1” configuration in which only a single decentralized verifier network needed to approve cross-chain transfers, creating a single point of failure.