Layer Zero said late Friday U.S. time that it acknowledged “making a mistake” by allowing its own validation infrastructure to protect high-value crypto assets in a vulnerable configuration, marking a significant shift in tone after weeks of blaming developers. Kelp DAO suffered a loss of $292 million in connection with North Korean attackers.
This acknowledgment marks a significant shift after weeks of public blame between LayerZero and Kelp, with LayerZero initially attributing the April hack to a configuration issue in Kelp’s application layer.
In a blog post published on Friday, LayerZero wrote: "First, I want to offer a belated apology."
LayerZero initially attributed responsibility to Kelp, suggesting that the protocol opted for an extremely risky "1-to-1" configuration, in which only a single decentralized verification network (DVN) is required to approve cross-chain transfers, creating a single point of failure. A DVN is part of the infrastructure used to verify the legitimacy of transactions transferring assets between blockchains.
The company stated: "We made a mistake by allowing our DVN to be used as a one-to-one DVN for high-value transactions. We did not regulate the content protected by the DVN, which created risks we failed to anticipate. We take full responsibility for this."
To address this situation, LayerZero Labs stated that its DVN will no longer support the 1/1 DVN configuration. Additionally, the blog noted that “default configurations on all paths will be migrated to 5/5 wherever possible, and on any chain with only three DVNs available, at least a migration to 3/3 will occur.”
Cross-chain bridges are like digital transit tracks connecting originally separate blockchain networks, but they have long been one of the most vulnerable parts of cryptocurrency infrastructure.
LayerZero insists that its underlying protocol has not been compromised and reiterates that developers ultimately bear responsibility for configuring their own security assumptions.
The LayerZero protocol was unaffected, the company said, attributing the attack to an assault on the internal RPC infrastructure used by LayerZero Labs DVN, while external RPC providers also suffered distributed denial-of-service attacks.
Additionally, Layer Zero stated that three and a half years ago, one of the signers of its multisig account initiated a personal transaction using its multisig hardware wallet, intending to transfer funds to their own personal hardware wallet. The company is taking action against such behavior and stated: “This is clearly unacceptable.”
The signer has been removed from the multisignature, the wallet has been rotated, and since then we have enhanced the security measures on each device by adding local anomaly detection software and created a custom multisignature called OneSig.
Competitors, including Chainlink, are capitalizing on the aftermath of this event to win business from protocols reconsidering their security providers.
Kelp DAO has moved it through the rsETH bridge to Chainlink’s competitor cross-chain interoperability protocol, while Solv Protocol stated this week that, following its latest security audit, the company is migrating over $700 million in tokenized Bitcoin infrastructure away from LayerZero.