LayerZero said late Friday US time that it “made a mistake” by allowing its own verification infrastructure to secure high-value crypto assets in a vulnerable setup, marking a notable change in tone after weeks of blaming developer Kelp DAO for a $292 million hack linked to North Korean attackers.
The admission marks a notable shift after weeks of public pointing between LayerZero and Kelp over responsibility for the April hack, which LayerZero initially presented as an application-level configuration failure by Kelp.
“First of all: a long overdue apology,” LayerZero wrote in a blog post Friday.
LayerZero initially blamed Kelp, arguing that the protocol chose a risky “1 on 1” setup in which a single decentralized verification network, or DVN, had to approve cross-chain transfers, creating a single point of failure. A DVN is part of the infrastructure that verifies whether a transaction transferring assets between blockchains is legitimate.
“We made a mistake in allowing our DVN to act as a 1/1 DVN for high-value transactions,” the company said. “We didn’t control what our DVN was securing, which created a risk that we simply didn’t see. We own it.”
To counter this, LayerZero Labs has stated that its DVN will no longer support DVN 1/1 configurations. Additionally, “all default settings on all channels are migrated to 5/5 where possible and no less than 3/3 on any channel where only 3 DVNs are available,” the blog states.
Cross-chain bridges act as digital transfer rails between otherwise separate blockchain networks, but have long been among the most vulnerable pieces of infrastructure in crypto.
LayerZero maintained that its underlying protocol was not compromised and reiterated that developers are ultimately responsible for configuring their own security assumptions.
“The LayerZero protocol is not affected,” the company said, attributing the exploit to an attack on internal RPC infrastructure used by LayerZero Labs’ DVN, while external RPC providers were simultaneously hit by distributed denial of service attacks.
Additionally, Layer Zero said that three and a half years ago, one of its multisig signers used its multisig hardware wallet to make a personal transaction, intending to use their own personal hardware wallet. He is taking action against such moves and said: “This is obviously not acceptable.”
“This signer was removed from multisig, wallets were rotated, and we have since updated our signing device security practices, added localized anomaly detection software on each device, and created a custom multisig called OneSig.”
Competitors, including Chainlink, are using the fallout to gain business through protocols that are redesigning their security providers.
Kelp has already moved its rsETH bridge to Chainlink’s competing cross-chain interoperability protocol, while Solv Protocol announced this week that it is migrating more than $700 million of tokenized Bitcoin infrastructure away from LayerZero following a new security review.
