Kelp shifts blame to Chainlink over $292 million DeFi hacker incident controversy

Writing by: Murugaverl Mahasenan, CATENAA

Tuesday, May 12, 2026 — KelpDAO accuses LayerZero’s infrastructure of playing a role in facilitating a $292 million attack event, and says it will migrate its cross-chain system to Chainlink as it rebuilds its liquid staking token framework. The incident is one of the largest DeFi security incidents of the year.

At the core of the controversy is an attack that took place in April, resulting in the theft of approximately 116,500 rsETH. rsETH is an Ethereum-based liquid staking token that can be used for cross-chain transfers.

The attack targeted a bridging system that allows rsETH to be transferred between multiple blockchain networks. Security researchers linked the incident to the North Korean hacker group Lazarus Group, which has been associated with multiple high-value cryptocurrency thefts.

Core Responsibility

KelpDAO says that LayerZero’s infrastructure design played a central role in this vulnerability incident. The protocol claims that because the system configuration adopted a single validator, the attacker was able to manipulate the transaction validation process after breaching part of the routing infrastructure.

KelpDAO says this weakness allowed forged cross-chain transactions to be approved without sufficient verification.

LayerZero denies this. The company says the attack was limited to Kelp’s specific implementation, and states that Kelp uses a single-validator configuration, which deviates from LayerZero’s recommended multi-validator architecture.

The disagreement has escalated into a public debate centered on: in decentralized cross-chain systems, how should responsibility be assigned and attributed?

KelpDAO says that multiple security firms, including Chainalysis and SEAL 911, support its assessment that the vulnerability stemmed from issues in LayerZero’s infrastructure configuration.

KelpDAO also says that the exploited single-validator model is not unique to Kelp and is widely adopted in other applications within the ecosystem.

The protocol states that the attacker successfully compromised the remote procedure call (RPC) nodes associated with the validator network, allowing forged transaction data to be injected.

Then, this data was accepted by the system, enabling the attacker to transfer funds between multiple blockchain networks without authorization.

KelpDAO says that after the incident, LayerZero updated its policies and no longer supports single-validator configurations. KelpDAO believes this change precisely indicates that the prior design indeed carried systemic risks that were not adequately addressed before the attack.

LayerZero, however, insists that its documentation has always recommended a multi-validator security configuration and says that each protocol party needs to be responsible for its own deployments and configurations.

As of now, LayerZero has not published a detailed technical explanation regarding KelpDAO’s latest accusations.

Asset Freezing and Legal Proceedings

The impact of this attack has gone beyond the technical dispute itself. Approximately $71 million in assets related to the attack were frozen on the Arbitrum network, triggering legal proceedings in the U.S. Federal Court in New York. The focus of the current case is whether these frozen assets should be returned or should remain frozen pending further investigation.

KelpDAO says that this incident raises broader issues, including responsibility attribution within cross-chain infrastructure and the risks brought by relying on single-point validation. The protocol says this experience exposed structural weaknesses and shows that the system needs to move toward more decentralized validation mechanisms.

Migration to Chainlink

As part of its response, KelpDAO announced it will migrate its rsETH system to Chainlink’s cross-chain interoperability protocol (CCIP). The new system will use multiple mutually independent validators to approve transactions, reducing reliance on validating through a single entity.

Chainlink confirmed its involvement in the migration and said it is working with KelpDAO to enhance cross-chain security. The company says that for decentralized finance to achieve large-scale adoption, more robust infrastructure is needed to reduce systemic risks.

Chainlink’s Chief Business Officer Johann Eid said that a secure interoperability system is crucial for the long-term development of blockchain-based finance. He said that each protocol must ensure that cross-chain activity does not fail as a whole due to single points of failure.

This move marks a major shift for KelpDAO. Previously, the protocol’s cross-chain operations relied on LayerZero’s infrastructure. KelpDAO says that after this incident, it is redesigning its system, placing security and transparency as top priorities.

Industry Impact

This attack is one of the largest disclosed DeFi security vulnerability events in 2026, and it has further intensified industry concerns about the fragility of cross-chain bridges. Cross-chain bridges remain one of the components of blockchain infrastructure most vulnerable to being targeted by attacks.

Industry analysts point out that cross-chain systems introduce complex security risks because they must coordinate validation across multiple networks. Even minor configuration defects can create attack surfaces that are difficult to detect in time.

The incident has also further intensified the debate over whether decentralized systems should adopt lightweight validation models or higher-resource-consuming multi-validator frameworks. Supporters of simpler systems value efficiency, while critics argue that such models amplify systemic risks.

As of the time of publication, LayerZero has not issued a public response to KelpDAO’s latest statements.

As the investigation continues and legal proceedings unfold, this case is expected to influence how future cross-chain protocols design validation systems and how responsibility is allocated in future DeFi incidents. KelpDAO says its current focus is to ensure the security of rsETH and restore users’ confidence during the migration to Chainlink infrastructure.