LayerZeroKelp, a cross-chain messaging protocol, publicly apologized for its handling of communications following a major security incident involving the DAO. In a detailed update posted on its official blog, the company acknowledged the shortcomings in its initial response and took direct responsibility for a critical flaw in its decentralized verification network (DVN) configuration. use. The apology marks a significant shift in tone.
For three weeks after the April incident, LayerZero focused on providing comprehensive technical analysis rather than directly addressing concerns. Company leaders now recognize that this approach is inadequate and prioritize granular detail over clear and immediate transparency.
While the core LayerZero protocol itself was not compromised, the breach resulted from an attack on the firm’s internal remote procedure call (RPC) infrastructure.
Hackers from Lazarus Group poisoned data The resource used by LayerZero Labs’ DVN, an external RPC provider, faced a distributed denial of service (DDoS) attack.
At the core/center of the issue is the single-verifier setup. LayerZero has long advocated for developer autonomy, allowing projects to choose their preferred security parameters for cross-chain transfers.
However, administrators admitted that they made a serious mistake by not restricting their DVNs to operate in 1-in-1 mode for high-value assets.
This arrangement created a single point of failure that was overlooked.
In the statement, it was underlined that the mistake was fully owned and emphasized that “We did not audit what our DVN secured, which created a risk we did not see.”
The affected application represented only 0.14 percent of total distributions and approximately 0.36 percent of the total asset value secured on the network, but its financial impact was significant.
In response, LayerZero promised stronger proactive measures. Will increase and actively monitor training efforts application Configurations to promote safer practices.
DVN will no longer support 1-of-1 installations for any projects.
Defaults on paths are being increased to require multiple validators (ideally five, or at least three where options are limited).
Additional technical improvements include a new Rust-based DVN client for greater diversity and improved RPC core systems.
The company also addressed persistent questions about asset security. Since mid-April, over $9 billion worth of value has moved on LayerZero without further incident, strengthening confidence in the protocol’s design.
Developers received clear recommendations: pin custom configs to avoid sticking with defaults, enforce high block confirmations to resist refactorings, add multiple DVNs, and even consider running their own validators as a required component.
LayerZero reiterated its core philosophy: eliminating systemic impacts risk By empowering each application to control its own security end-to-end.
This approach attracted the attention of large corporate players and facilitated transfers worth hundreds of billions of dollars.
The update also revisited an unrelated internal issue from three and a half years ago, in which a multisignature signer mistakenly used a company device for a personal transaction.
This person was immediately removed, wallets were rotated, and new security measures were implemented, including proprietary OneSig multi-signature and anomaly detection tools.
LayerZero produces vehicles such as Console A platform to help issuers manage configurations, detect anomalies, and integrate advanced signing. These steps aim to prevent similar vulnerabilities and increase trust in decentralized finance infrastructure.
The firm continues to collaborate with external security experts for a full post-mortem. Incident highlights ongoing challenges DeFiComplex cross-chain bridges need to balance flexibility with tight control. Having the role of sole validator oversight, LayerZero signals its commitment to developing its ecosystem more responsibly.
