LayerZero's initial design flaw: Analyzing the security blind spots behind KelpDAO's $290 million hack

LayerZero admits that there were architectural design flaws in the KelpDAO hacking incident, primarily due to vulnerabilities caused by a single verifier model, resulting in a loss of $292 million in assets.

KelpDAO Hacker Incident, LayerZero Publicly Apologizes for the First Time

Cross-chain communication protocol LayerZero recently publicly acknowledged that there were design flaws in the KelpDAO hacking incident. The event caused approximately $292 million in asset losses and has become one of the largest DeFi attacks in 2026 to date.

According to official statements, the core issue stemmed from KelpDAO’s use of a “Single Verifier” mode in its cross-chain configuration, which allowed attackers to exploit RPC poisoning and verification process flaws to forge cross-chain information and bypass security checks.

LayerZero co-founder publicly stated: “We made a mistake, and we will take responsibility (We own that).” This is also the first time LayerZero has directly acknowledged problems at the protocol design level during a major security incident.

After the incident, market skepticism about LayerZero’s security model quickly intensified. Since LayerZero has long promoted a “customizable security architecture,” allowing applications to choose their own verifiers and security configurations, some developers, aiming to reduce costs and improve efficiency, tend to adopt lower-security verification modes. This incident is seen as the first large-scale outbreak of risks associated with such architectural choices.

• Related news: Kelp DAO’s re-staking protocol hacked! $290 million lost within an hour, understand the full story

Single Verifier Design as the Biggest Vulnerability

According to LayerZero’s public incident report, KelpDAO chose a single DVN (Decentralized Verifier Network) verification mode during deployment, rather than a multi-verifier architecture. This means that if a single verification node is compromised or misled, attackers could forge cross-chain information.

In this attack, the hacker used RPC poisoning techniques to pollute certain nodes’ on-chain data, causing verifiers to misjudge the authenticity of information, ultimately enabling the forged assets to successfully cross-chain. Since cross-chain bridges inherently involve multi-chain synchronized verification, once the verification source is compromised, it can directly lead to assets being minted or transferred out of thin air.

LayerZero emphasizes that the protocol itself originally supported higher-security multi-verifier configurations, but KelpDAO did not enable the full architecture at the time. Nevertheless, the market criticizes LayerZero for issues in product design and documentation, as developers may underestimate the risk differences between various security settings.

Some security researchers point out that this incident exposes a fundamental long-standing problem in cross-chain protocols. Many cross-chain systems, while claiming decentralization, still heavily rely on a small number of verification nodes, RPC providers, or relay infrastructure. If any one of these layers is attacked, it can impact the entire asset verification process.

Cross-Chain Protocol Security Models Reignite Debate

After the KelpDAO incident, the DeFi community resumed discussions on the security logic of cross-chain protocols. In recent years, systems like Wormhole, Ronin Network, and Harmony have all suffered large-scale attacks due to verification mechanism vulnerabilities. Trust in cross-chain bridges has long been fragile.

LayerZero previously promoted an “Ultra Light Node” architecture, aiming to reduce cross-chain costs and deployment barriers, while allowing developers to choose security configurations through modular design. However, this incident shows that “customizable security” can also be a double-edged sword. When protocols delegate significant security responsibilities to application developers, if those teams lack sufficient security expertise, it could introduce even greater risks.

Market analysts believe that future cross-chain protocols may tend toward “pre-set high security” by default, rather than allowing developers to select the lowest-cost options. Especially as institutional funds begin entering on-chain financial markets, demands for security and accountability will become more stringent.

DeFi Ecosystem Enters Infrastructure Reassessment Phase

This incident’s impact on the DeFi ecosystem is no longer just about a single hacker attack. Many development teams are re-evaluating their cross-chain configurations, RPC sources, and verifier architectures. Some protocols have even urgently increased verification thresholds or temporarily suspended certain cross-chain functions.

On the other hand, on-chain security firms and research institutions point out that future attackers may increasingly avoid directly hacking smart contracts, instead targeting infrastructure layers such as RPCs, verification networks, oracles, and cross-chain information systems. These types of attacks are often harder to detect and can more easily impact large-scale funds.

LayerZero’s public admission of fault, to some extent, also indicates that DeFi infrastructure is beginning to face a more mature culture of accountability. In the past, many protocols, after being hacked, would place full blame on third parties or user configurations. Now, some major protocols are willing to admit that their architecture itself has flaws. For the entire Web3 industry, this may be the real noteworthy change.