$290 million theft: Who's responsible? Kelp DAO shifts blame and retorts: LayerZero's "default configuration" caused it

A hacker attack totaling up to $292 million not only set the record for the largest theft in the DeFi sector this year but also sparked a blame-shifting controversy in the crypto community. In response to intense external criticism, Kelp DAO, a liquidity re-staking protocol, issued a statement on Monday, firmly countering accusations of negligence and sharply pointing the finger at cross-chain technology provider LayerZero for the security breach.
Looking back to April 18, Kelp DAO, built on LayerZero’s cross-chain technology, was ravaged by hackers, losing as many as 116,500 rsETH tokens, worth approximately $292 million, marking the largest DeFi hack of the year.
In response to this attack, LayerZero released an initial investigation report on Sunday, suggesting that the likely culprit behind the breach is the notorious North Korean hacker group “Lazarus Group.”
The report revealed that the hackers first infiltrated LayerZero’s decentralized verification network (DVN, responsible for verifying the authenticity of cross-chain messages) by compromising its RPC node list, then poisoned two of the RPC nodes, and launched DDoS attacks on the remaining nodes, forcing the system to switch to the tampered nodes. This allowed the DVN to accept false cross-chain messages, ultimately signing an unauthorized token transfer transaction.
The report criticized Kelp DAO for adopting an extremely vulnerable “1-of-1 DVN (single verification node)” configuration. LayerZero emphasized that this design lacks an independent verification mechanism, effectively creating a “single point of failure” that poses a critical risk, preventing the network from intercepting fake cross-chain messages.
LayerZero pointed out: “We had previously advised Kelp DAO multiple times to diversify the DVN node setup to enhance security, but despite these recommendations, Kelp insisted on using a 1-of-1 DVN configuration.”
In response to these harsh accusations of “ignoring advice,” Kelp DAO immediately fired back on social platform X, directly claiming that the “1-of-1 DVN setup” responsible for the disaster was actually orchestrated by LayerZero itself. Kelp DAO stated in their announcement:

The so-called single-point verification setup is explicitly documented in LayerZero’s official technical documentation, and it has always been the ‘default option’ when creating new cross-chain tokens (OFT, a token standard allowing seamless transfer across multiple chains). Since January 2024, Kelp has been operating on LayerZero’s infrastructure and has maintained open communication channels with the LayerZero team.

Kelp DAO further explained that when the protocol was preparing to expand to Layer 2, both parties had in-depth discussions about the DVN configuration, and at that time, the default single verification node setting was even “explicitly confirmed as appropriate” by LayerZero officials.
“A process with mutual consensus and accurate event reconstruction is the foundation for us to jointly implement correct remedial measures,” Kelp DAO cryptically urged, implying that LayerZero should not be quick to shift blame at this moment.
Despite the ongoing verbal sparring over responsibility for the security breach, Kelp DAO emphasized that the team took decisive crisis management measures immediately after the incident, including temporarily suspending the affected smart contracts and blacklisting all wallets associated with the hackers, successfully containing the damage and preventing further losses.