LayerZero's Incident Report Says Kelp Downgraded From 2-of-2 to 1-of-1 DVN Before $292M Exploit

Cross‑chain bridges are the backbone of today’s multi‑chain DeFi ecosystem, but they also create a single point of failure when validator diversity is reduced. LayerZero’s post‑mortem shows that KelpDAO’s decision—or LayerZero’s default—to downgrade its Decentralized Verifier Network from a 2‑of‑2 to a 1‑of‑1 configuration left the bridge vulnerable to a sophisticated supply‑chain attack. By compromising a developer’s macOS machine and injecting malicious code into the DVN’s op‑geth client, the North Korean‑linked TraderTraitor group harvested session keys and forged attestations for six weeks, ultimately draining 116,500 rsETH—approximately $292 million—without triggering any on‑chain alarms.

The breach underscores a broader "trust‑layer failure" that traditional contract audits cannot detect. Chainalysis highlighted a broken accounting invariant: the minted rsETH on Ethereum had no corresponding burn on the source chain, inflating supply unchecked. Such structural flaws amplify the impact of nation‑state actors who can exploit both software supply chains and cloud infrastructure. For DeFi protocols, the lesson is clear: validator sets must be diversified, and security monitoring must extend beyond transaction‑level analytics to include infrastructure integrity and developer hygiene.

In the wake of the exploit, Kelp announced a migration to Chainlink’s Cross‑Chain Interoperability Protocol, which mandates consensus from at least 16 independent node operators, dramatically increasing resilience. LayerZero, meanwhile, has pledged a minimum 3‑of‑3 DVN quorum for high‑value transfers and is rebuilding its cloud environment. These moves signal an industry‑wide pivot toward more robust, multi‑validator architectures and heightened scrutiny of bridge configurations, setting new security baselines for future cross‑chain deployments.