LayerZero Labs open letter attempts to explain failures around KelpDAO hack

LayerZero Labs released an open letter explaining its failures in communication and operations following the KelpDAO hack by the Lazarus Group. The cyberattack did not affect LayerZero Labs’ protocol but did affect its internal systems, leading the firm to acknowledge mistakes in previous operations. 

LayerZero Labs released its apology letter on May 8, 2026. 

LayerZero admits to past multisig misuse 

Around April 19, 2026, the Lazarus Group attacked LayerZero Labs’ internal RPC nodes, which were used by their DVN network. The attackers corrupted the source of truth for these internal RPCs and simultaneously launched a DDoS attack against LayerZero Labs’ external RPC provider. LayerZero clarified that the LayerZero protocol was not affected during this incident.

As reported by Cryptopolitan, the hack affected only a single application, which is 0.14% of all LayerZero apps and 0.36% of the total value of assets bridged on the platform. The breach led to the $300 million rsETH exploit targeting KelpDAO. 

In the apology, LayerZero Labs also commented on another security issue that occurred three and a half years ago. In one instance, a signer used the hardware wallet intended for multisig transactions for an individual transaction for McPepes memecoin trading on Uniswap using their personal wallet. 

A signer was replaced, wallets were swapped, and measures were put in place to prevent similar occurrences in the future.

This was in direct contradiction to previous public statements by LayerZero co-founder Bryan Pellegrino, who had referred to such activities as standard “OFT testing” less than 24 hours earlier. Some users pointed out the discrepancy, noting that the memecoins involved had been observed in many transactions from the same multisig wallet for quite some time. 

As reported by Cryptopoltan, LayerZero clarified that their multisig mechanism only allows control over Endpoint functionality, including chain addition and test default updates.

LayerZero pushes developers to do a better security job

LayerZero has reiterated its foundational architecture, designed to eliminate single points of failure common in traditional bridges. Every application can independently own its end-to-end security without relying on LayerZero Labs. 

The company advised developers to take concrete steps: pin all configurations to avoid default settings controlled by LayerZero Labs; increase block confirmations on each chain to minimize reorganization risks; configure DVNs with at least two (preferably three to five) independent parties; and consider operating their own required DVN.

The company has also listed some assumptions about trust and liveness. LayerZero Labs’ default applications and DVN that rely on a single verifier rely on all the trust from LayerZero Labs’ multisig. Gas relaying services, such as Essence and LayerZero executors, affect only liveness.

After the event, LayerZero Labs no longer supports DVN in the 1/1 configuration; instead, pathway defaults have been upgraded to either 5/5 or 3/3 configurations, where possible, and development of a DVN client in Rust is underway.

DeFi implications from the LayerZero breach 

The response to the attack was met with immediate criticism for its initial attempt to deflect responsibility onto its partners. KelpDAO and Solv Protocol have already switched their systems to Chainlink, and Beefy, Ethena, BitGo, Lombard, and many others are reconsidering their integrations. 

There are concerns about reduced bridged transaction volumes, Stargate earnings, and $ZRO token buybacks.

LayerZero Labs pledged 5,000 ETH to the DeFi United rescue plan and another 5,000 ETH to maintain Aave’s liquidity pools in response to the attack. Nevertheless, the incident sparked a wider discussion about security in cross-chain protocols, despite the expressed apology and the promise to improve the multisig threshold, which is set at 7/10 using OneSig.

LayerZero Labs maintains that the protocol remains an essential instrument for conducting safe and sizable transactions, but it will be necessary to wait until the next few weeks to see how developers and organizations move.

Your bank is using your money. You’re getting the scraps. Watch our free video on becoming your own bank