LayerZero's Incident Report Says Kelp Downgraded From 2-of-2 to 1-of-1 DVN Before $292M Exploit - "The Defiant"

LayerZero Labs published a detailed forensic report on the April 18 KelpDAO bridge exploit on Sunday. The report, produced with cybersecurity firms Mandiant, CrowdStrike, and zeroShadow, contains a previously unreported claim about how KelpDAO's bridge was configured before the attack.

According to LayerZero, the bridge for rsETH (KelpDAO's liquid restaking token, a derivative representing staked and restaked ETH) had at some prior point been configured with a 2-of-2 stack of Decentralized Verifier Networks, or DVNs — the parties responsible for confirming whether a cross-chain message is legitimate. LayerZero says the configuration was then changed by Kelp to a 1-of-1 setup, leaving LayerZero Labs as the sole required verifier.

"A previous 2-of-2 configuration had been modified by the application owner to a 1-of-1 configuration which used only the LayerZero Labs DVN," the report states.

LayerZero does not specify when the change occurred, who made it, or why.

Kelp has not directly addressed the 2-of-2 claim in any public statement reviewed for this story.