Bryan Pellegrino, founder and CEO of LayerZero Labs, responded to KelpDAO after Liquid Restock Protocol published a long post alongside screenshots that it claims are proof that LayerZero employees approved the configuration of the single verification bridge that was exploited in the $292 million hack on April 18.
Pellegrino said KelpDAO’s version of events was largely untrue and that Kelp itself had downgraded its rating from the safer default setting.
The public finger-pointing between both platforms breaks what was shaping up to be a united front by DeFi projects that have taken it upon themselves to contain the fallout from the exploitation, rallying under the slogan “DeFi United.”
LayerZero pledged More than 10,000 ETH were sent to the recovery effort led by Aave on April 28, according to a post from the protocol’s official account. However, the latest development raises the question of who bears responsibility for the root cause of the exploitation that, so far, appears to have turned former allies into enemies.
Why are LayerZero and KelpDAO unifying?
In a thread published on X on May 5, Pellegrino challenged three specific claims made by KelpDAO in its announcement that it would migrate the rsETH bridge from LayerZero to Chainlink’s CCIP.
“A lot of this is completely untrue.” Pellegrino wrote. Kelp was originally deployed using LayerZero’s default multi-DVN (decentralized verification network) configuration and was “manually migrated to a 1/1 configuration later,” he said.
Setting up 1 of 1 DVN means that a single verification signature is sufficient to allow cross-chain token transfers, removing the redundancy that multiple DVNs provide.
“Nearly 100% of the volume in the 1/1 configuration was rsETH,” Pellegrino added, pointing to Kelp as the dominant user of the setup that was exploited. He also noted that the LayerZero documentation cautions against using a single validator configuration for production applications.
In a previous post dated May 4, Pellegrino admitted Personal conflict over the situation. “I still have a great deal of cognitive dissonance here,” he wrote.
Pellegrino stated that he was wrong when he assumed that having someone manually change the configurations he helped him set up to 1/1 was impossible.
As Pellegrino acknowledged, the protocol provided the infrastructure, but each application chose how to configure it. While he stated that it is easy to sit back and do nothing, he acknowledged that this is not the right approach.
KelpDAO says LayerZero has checked out on the setup
Kilbdaw Post May 5 Take a different stance. According to the Cryptopolitan website Previous reportsKelp posted Telegram screenshots showing a LayerZero team member writing “no problem using defaults too” during discussions about Kelp’s L2 expansion. Those exchanges spanned eight discussions over two-and-a-half years without objection from LayerZero employees, Kelp says.
Kelp announced that it is migrating rsETH to Chainlink’s CCIP, calling the move a direct response to the exploit. The migration process is already underway. Kelp’s GitHub repository lists the new “CCIP (Chainlink) RSETH” contract alongside the old LayerZero RSETH_OFT contract, according to previous Cryptopolitan coverage.
Exploitation and its extent
The April 18 attack drained 116,500 rsETH, roughly 18% of the liquid token in circulation, from Kelp’s LayerZero bridge.
At the time of the exploit, 47% of active LayerZero OApp contracts used a 1 of 1 DVN setting, according to data cited in previous reports. LayerZero has since blocked the configuration and is pushing migrations across its application base.
DeFi is at a crossroads
The Pellegrino-Kelp dispute will likely shape how DeFi protocols negotiate security responsibilities with infrastructure providers in the future.
LayerZero is facing pressure to explain why nearly half of its app base runs a configuration it now deems unacceptable. Kelp is facing scrutiny over why he was downgraded from the multiple-check default, if Pellegrino’s account is accurate. ETH frozen on Arbitrum is still in legal limbo, and LayerZero’s 10,000 ETH DeFi United redemption contribution is disappearing in the rearview mirror.
There is a middle ground between leaving money in the bank and playing dice in cryptocurrencies. Get started with this free video Decentralized finance.
