Kelp DAO vs LayerZero: default single-verifier blamed in $290M rsETH bridge exploit

Kelp DAO is disputing LayerZero’s post-mortem of Sunday’s $290 million rsETH bridge exploit, saying the failure stemmed from LayerZero’s own “default” single-verifier setup rather than a rare configuration Kelp chose against advice. Attackers drained 116,500 rsETH (about $290M) by poisoning LayerZero verifier servers used to validate cross-chain messages. According to Kelp’s planned memo, two compromised servers were LayerZero infrastructure, and the “1/1” (single-source) DVN design created the single point of failure. Kelp argues its core restaking contracts were not touched and that LayerZero-powered bridge access was the only affected layer. An emergency pause was triggered 46 minutes after the drain, blocking a second attempt that could have unlocked roughly another $200M in rsETH. LayerZero, however, previously blamed Kelp for ignoring warnings to use multi-verifier redundancy. Security researchers challenge this framing: Yearn’s developer @banteg said LayerZero’s public quickstart and deployment reference code promote single-verifier verification across major chains, and that queryable endpoints can reveal configured servers. Kelp also claims its setup mirrored LayerZero’s sample configs. LayerZero says it will stop signing messages for any application running a single-verifier setup, pushing a broad migration across the ecosystem. For traders, the Kelp DAO vs LayerZero dispute increases near-term regulatory/credibility and smart-contract risk sentiment around cross-chain bridges and may spur liquidity shifts tied to rsETH/LST narratives.