LayerZero, a leading interoperability protocol in the decentralized finance (DeFi) ecosystem, has officially acknowledged that it “made a mistake” in the handling of the $292 million Kelp exploit, reversing weeks of blaming the Kelp DAO project for the incident. The hack, which occurred in early May 2026, was attributed to North Korean attackers and has sent shockwaves through the DeFi space, raising critical questions about the security assumptions underlying cross-chain bridges and validator networks.
The exploit targeted the Kelp DAO’s rsETH bridge, which relied on LayerZero’s infrastructure to facilitate cross-chain transfers of high-value assets. Initially, LayerZero framed the incident as a developer configuration failure on the part of Kelp, arguing that the project had misconfigured its security settings. However, after an internal review and mounting pressure from the community, LayerZero CEO Bryan Pellegrino admitted that the protocol “owns” the decision to let its own verifier network—the decentralized verifier network (DVN)—secure high-value transfers in a vulnerable setup.
“We made a mistake,” Pellegrino said in a statement. “Our verifier network was not designed to handle the level of risk that we allowed it to assume in this configuration. We take full responsibility.” This marks a significant shift from the company’s earlier narrative, which many in the crypto community had criticized as an attempt to deflect blame onto a smaller project.
Background of the Exploit
The Kelp exploit occurred on May 9, 2026, when an attacker exploited a vulnerability in the LayerZero DVN’s internal RPC infrastructure. The DVN is a decentralized network of verifiers that secures cross-chain messages, but the attack targeted the communication channels between the verifiers and the RPC endpoints. By compromising these endpoints, the attacker was able to forge verification signatures and drain approximately $292 million worth of crypto assets from the Kelp bridge.
Initial reports suggested that the exploit was caused by a configuration error in the Kelp DAO’s smart contracts, but subsequent investigations revealed that the root cause lay in LayerZero’s own infrastructure. Pellegrino explained that the DVN had been configured to rely on a single RPC provider for certain high-value transfers, creating a single point of failure that the attacker exploited. “This was a fundamental oversight on our part,” he said.
Impact on the DeFi Ecosystem
The fallout from the exploit has been swift and severe. LayerZero faced backlash from the crypto community, with many accusing the company of blaming victims to protect its reputation. The incident also triggered a broader debate about the centralization risks inherent in DeFi protocols that claim to be decentralized. LayerZero’s DVN, while marketed as a decentralized alternative to traditional bridge security, is still reliant on a limited set of verifiers and RPC infrastructure.
Immediately after the attack, Kelp DAO announced that it would be migrating its rsETH bridge to Chainlink’s cross-chain protocol, citing security concerns. Solv Protocol, a major player in the tokenized bitcoin market, also announced that it was moving more than $700 million in tokenized bitcoin infrastructure away from LayerZero. These defections represent a significant loss of business for LayerZero, which has long been a dominant player in the interoperability space.
“This is a wake-up call for the entire industry,” said a DeFi analyst who spoke on condition of anonymity. “If a protocol like LayerZero can make such a basic mistake, it shows that we need to rethink how we secure cross-chain transactions. The era of blind trust in infrastructure providers is over.”
LayerZero’s Response and Remediation
In response to the exploit, LayerZero has implemented several changes to its security protocols. The company announced that it would be introducing stricter oversight of its DVN configurations, requiring verifiers to use diversified RPC infrastructure for high-value transfers. Additionally, LayerZero has pledged to reimburse affected users and is working with law enforcement to trace the stolen funds.
Pellegrino also emphasized that the LayerZero protocol itself was not compromised. “The protocol remains secure,” he said. “The exploit targeted the operational setup of our verifier network, not the underlying technology. Developers are still responsible for their own security settings, but we understand that we need to provide better guidance and default configurations.”
Nevertheless, the damage to LayerZero’s reputation may be long-lasting. The company had previously touted its DVN as a key differentiator in the competitive cross-chain bridge market, but the exploit has exposed its vulnerabilities. Rivals like Chainlink, Wormhole, and Axelar have seized the opportunity to market their own solutions as more secure alternatives.
Broader Implications for DeFi Security
The Kelp exploit is part of a worrying trend of large-scale hacks targeting DeFi protocols. In 2026 alone, the industry has seen over $1.5 billion lost to exploits and hacks, with cross-chain bridges being a frequent target. The underlying issue is often a mismatch between the perceived security of a protocol and the actual risk exposure of user funds.
In the case of LayerZero, the DVN model relies on a series of verifiers that vote on the validity of cross-chain messages. While this decentralized approach is theoretically more secure than a single-signature bridge, it introduces new attack surfaces, such as the RPC endpoints used by verifiers to communicate. The Kelp exploit highlights the need for verifiers to use diverse and hardened infrastructure to prevent single points of failure.
Another lesson from the incident is the importance of transparency and accountability. LayerZero’s initial decision to blame Kelp DAO eroded trust, and only after external pressure did the company admit its own role. In a space where trust is everything, such missteps can have severe consequences.
Looking forward, regulatory scrutiny of DeFi may also increase. Lawmakers in the United States and Europe have been closely following large-scale hacks, and incidents like the Kelp exploit could accelerate efforts to impose stricter security standards on protocols handling user funds. The CFTC and SEC have both shown interest in cross-chain transactions, and the involvement of North Korean hackers adds a geopolitical dimension to the issue.
Kelp DAO has not yet announced whether it will take legal action against LayerZero. However, the project’s shift to Chainlink signals that it no longer sees LayerZero as a reliable partner. For LayerZero, rebuilding trust will require more than just technical fixes—it will need to demonstrate a commitment to transparency and user protection over profit.
The $292 million exploit is a stark reminder that even the most established protocols can make catastrophic mistakes. As DeFi continues to grow, the industry must learn from such incidents and build more resilient systems. The days of “move fast and break things” in DeFi are rapidly coming to an end, replaced by a more cautious and security-first approach.
In the aftermath of the hack, many are calling for industry-wide standards for cross-chain security. Organizations like the DeFi Alliance and the Blockchain Association have begun working on best practices for verifier networks, including requirements for diversification of infrastructure and regular audits. If such standards are adopted, they could help prevent future exploits and restore confidence in the interoperability ecosystem.
For now, LayerZero is fighting to retain its customers and repair its image. Whether it can do so remains to be seen, but one thing is clear: the Kelp exploit will be remembered as a turning point in the maturation of decentralized finance.
Source: Coindesk News