Who should pay for the "default configuration"? Half a month after the rsETH theft, LayerZero CEO "voluntarily takes responsibility"

Null

Written by: Yangz, Techub News

In the never-sleeping world of Web3, April 18 was originally just an ordinary day. However, for the liquidity re-staking sector and the entire DeFi ecosystem, a seismic event that could be recorded in history quietly unfolded on-chain. In less than an hour, hackers (allegedly from Lazarus Group) exploited Kelp DAO’s cross-chain bridge to mint 116.5k rsETH out of thin air, worth approximately $292 million. Considering rsETH is widely used as collateral, the hackers did not rush to dump it but instead transferred these worthless “air tokens” into mainstream lending protocols like Aave, borrowing about $236 million worth of ETH, directly pushing Aave and other top protocols into bad debt.

This is not the first time a cross-chain bridge has been attacked, but this incident tore open a long-standing wound in the Web3 industry: when the underlying infrastructure (protocol layer) and the upper layer (application layer) create a vacuum at the interface, who should pay for the vanished billions in assets?

Over the following month and a half, this crisis evolved into a public contest over technology, responsibility, and power. From initial mutual finger-pointing to today’s LayerZero CEO’s “voluntary acceptance of responsibility,” this marks a phase in the debate over responsibility boundaries.

The deadly “1/1 DVN”

To understand this debate, we must first dissect the hacker’s attack method. Interestingly, this attack was not due to a complex smart contract vulnerability; the root cause lies in a configuration parameter: the 1-of-1 DVN.

This so-called DVN, or Decentralized Validator Network, is a component responsible for verifying cross-chain messages in LayerZero V2 architecture. The 1-of-1 configuration means: as long as one validator signs, the cross-chain message is considered valid and executed. Worse still, the control of this “key” is not entirely in Kelp’s hands but depends on the underlying RPC node. The hacker poisoned the RPC node and coordinated a DDoS attack, hijacking that single validator node, feeding it false “source chain burn records.” The validator believed it, signed off, and this huge amount of assets appeared out of nowhere.

So, the key question is: who should bear the blame for this “1/1 DVN” issue?

Mutual finger-pointing: the collision of two logics

In the initial period after the attack, public opinion was initially tilted against LayerZero. Social media was filled with ridicule of Kelp DAO: as a top protocol managing hundreds of millions of dollars, using a “paper-thin lock” with a single validator was almost unforgivable.

However, when Kelp released an “official statement” on April 21, a dramatic reversal of public opinion occurred. Kelp’s core argument was just one sentence: if the official documentation and default configuration are inherently dangerous, then responsibility lies with those who wrote the documentation and set the default values. This is not a user configuration error but a “guidance flaw” in the product itself. Although LayerZero CEO Bryan Pellegrino repeatedly emphasized that this was an application-layer choice rather than a protocol-layer vulnerability, the focus of blame shifted from Kelp’s “inability to execute” to LayerZero’s “systemic arrogance”—knowing the default configuration was risky, yet still using it as a standard onboarding example.

Furthermore, voices from third-party developers amplified the controversy. Yearn core developer banteg, through technical review, found that LayerZero V2’s quick-start guide on Ethereum, BNB Chain, Polygon, Arbitrum, and Optimism all used this dangerous single-source verification as the default setting. Zach Rynes, head of the Chainlink community, criticized more sharply: accusing LayerZero of turning users following its official guidance into “scapegoats,” thereby covering up the fragility of its infrastructure when facing top-tier hacker attacks.

So, who is right and who is wrong? Actually, neither is entirely wrong nor entirely right. The core of this debate is a collision of two logics. One is “geek ethics”: tools are neutral, and users should be responsible for their choices. The other is “security default principle”: products should be in the safest state out of the box. Users may lower barriers for convenience, but products should not guide users toward danger.