Kelp says LayerZero approved setup it blamed for $292 million bridge hack
Kelp claims LayerZero approved its 1-of-1 verifier setup, contradicting LayerZero's postmortem blaming this setup for a $292M hack.Summary
Kelp DAO asserts that LayerZero personnel approved its 1-of-1 verifier configuration, a setup LayerZero later cited as the cause of a $292 million exploit on Kelp's rsETH bridge. This contradicts LayerZero's postmortem, which stated Kelp's reliance on LayerZero Labs as the sole verifier "directly contradicts" recommended practices. Kelp claims LayerZero reviewed its configurations for over 2.5 years without flagging the 1-of-1 setup as a security risk, providing screenshots of Telegram exchanges as evidence. Kelp also points to LayerZero's bug bounty scope, developer examples, and Quickstart guides as indications that verifier choices were treated as application-level configurations. The protocol is migrating its rsETH from LayerZero to Chainlink's CCIP. LayerZero attributed the hack to North Korean Lazarus Group compromising RPC nodes, while Kelp argues the 1-of-1 setup was common, exposing billions in market value to similar risks. LayerZero has since changed its policy to no longer sign messages for 1-of-1 configurations.
(Source:CoinDesk)