Three weeks after initially blaming Kelp DAO for the $292 million rsETH exploit, LayerZero reversed course Friday, acknowledging it should never have allowed its decentralized verifier network to act as the sole verifier for high-value cross-chain transactions. The vulnerability was exploited by Lazarus Group on April 18. LayerZero's original post-mortem placed responsibility on Kelp DAO, but Kelp responded by citing eight integration meetings where LayerZero never flagged the configuration as a security risk. A Dune analysis found 47% of approximately 2,665 active LayerZero OApp contracts were running the same single-verifier configuration at the time of the attack, with $4.5 billion in associated market value at risk. The fallout is accelerating: Kelp has migrated rsETH to Chainlink's CCIP, and Solv Protocol is moving over $700 million in tokenized Bitcoin off LayerZero. LayerZero conceded it had done 'a terrible job on comms' and should have led with directness.

Key facts

• LayerZero admitted it should not have allowed its single-verifier setup for high-value transactions.
• Lazarus Group exploited the vulnerability on April 18, stealing $292 million.
• 47% of LayerZero OApp contracts had the same risky configuration, affecting $4.5 billion.
• Kelp migrated rsETH to Chainlink's CCIP; Solv Protocol moved $700M off LayerZero.
• LayerZero conceded poor communication and apologized for the delay.

KeyAudit data perspective