LayerZero, a cross-chain messaging protocol, has publicly apologized for its handling of communications following a major security incident involving Kelp DAO. In a detailed update released on its official blog, the company admitted shortcomings in its initial response and took direct responsibility for a critical flaw in its decentralized verifier network (DVN) configuration that enabled the exploit. The apology marks a significant shift in tone.
For three weeks after the April incident, LayerZero had focused on delivering a thorough technical analysis rather than addressing concerns head-on. Company leaders now acknowledge that this approach fell short, prioritizing exhaustive details over clear and immediate transparency.
Although the core LayerZero protocol itself was not compromised, the breach stemmed from an attack on the firm’s internal remote procedure call (RPC) infrastructure.
Hackers from the Lazarus Group poisoned the data source used by LayerZero Labs’ DVN, while an external RPC provider faced a distributed denial-of-service (DDoS) assault.
At the core / center of the matter is the single-verifier setup. LayerZero has long championed developer autonomy, allowing projects to select their preferred security parameters for cross-chain transfers.
However, executives conceded they made a serious error by not restricting their own DVN from operating in a 1-of-1 mode for high-value assets.
This arrangement created a single point of failure that went unnoticed.
“We didn’t police what our DVN was securing, which created a risk we simply didn’t see,” the statement emphasized, underscoring full ownership of the lapse.
The affected application represented just 0.14 percent of total deployments and about 0.36 percent of overall asset value secured on the network, yet the financial impact was substantial.
In response, LayerZero pledged stronger proactive measures. It will ramp up educational efforts and actively monitor application configurations to promote safer practices.
The DVN will no longer support 1-of-1 setups for any project.
Defaults across pathways are being upgraded to require multiple verifiers—ideally five, or at least three where options are limited.
Additional technical improvements include a new Rust-based DVN client for greater diversity and enhanced RPC quorum systems.
The company also addressed lingering questions about asset safety. Over $9 billion in value has moved across LayerZero since mid-April without further incidents, reinforcing confidence in the protocol’s design.
Developers received clear recommendations: pin custom configurations to avoid relying on defaults, enforce high block confirmations to resist reorganizations, incorporate multiple DVNs, and even consider operating their own verifier as a required component.
LayerZero reiterated its foundational philosophy: eliminating systemic risk by empowering each application to control its own security end-to-end.
This approach has attracted major institutional players and facilitated hundreds of billions in transfers.
The update also revisited an unrelated internal matter from three and a half years ago, in which a multisig signer inadvertently used a company device for a personal transaction.
That individual was promptly removed, wallets were rotated, and new safeguards—including a custom OneSig multisig and anomaly detection tools—were implemented.
LayerZero is building tools like the Console platform to help issuers manage configurations, detect anomalies, and integrate advanced signing. These steps aim to prevent similar vulnerabilities and bolster trust in decentralized finance infrastructure.
The firm continues collaborating with external security experts for a complete post-mortem. The incident highlights ongoing challenges in DeFi, where complex cross-chain bridges must balance flexibility with rigorous oversight. By owning its role in the single-verifier oversight, LayerZero signals a commitment to evolving its ecosystem in a more responsible manner.