The popular Spider-Man meme showing three identical superheroes pointing fingers at each other is having its crypto moment today.
An L2 source familiar with the matter told CoinDesk that the Kelp DAO will push back against LayerZero’s post-mortem of the $290 million vulnerability on Sunday, which essentially blamed Kelp. Kelp plans to dispute the cross-chain messaging company’s claims that it ignored repeated warnings to abandon the single-validator setup. CoinDesk has reviewed and verified the company’s discussion.
Kelp is a liquid recollateralization protocol that accepts user deposited Ether, passes it through a yield generation system called EigenLayer, and issues receipt tokens rsETH in exchange.
LayerZero is a cross-chain messaging infrastructure for moving rsETH between blockchains, using an entity called a DVN (Decentralized Validator Network) to verify that cross-chain transfers are valid.
On Saturday, attackers stole 116,500 rsETH, worth approximately $290 million, from Kelp’s LayerZero bridge by poisoning the servers LayerZero validators check the exchange relies on.
Kelp plans to say that the DVN compromised as a result of what it calls a “sophisticated state-sponsored attack” was LayerZero’s own infrastructure and not a third-party validator, sources said.
The attackers compromised two of LayerZero’s own servers, which are used to check whether cross-chain transactions are legitimate, and then flooded the backup servers with junk traffic, forcing LayerZero’s validators to attack the infected servers.
All this infrastructure is built and run by LayerZero, not Kelp claim.
Sources questioned LayerZero’s framing of a “1/1 configuration” as a fringe choice that goes against guidance. LayerZero’s postmortem revealed that despite expressing recommendations for configuring multiple DVN redundancy, KelpDAO opted for a 1-of-1 DVN setup.
“1/1 configuration” means that only one validator must sign on a cross-chain message before the bridge can act on it, eliminating the need for the system to perform a second check to catch compromised or forged instructions. Multiple validator configurations (e.g. 2/3, 3/5, etc.) ensure that there is no single point of failure that can approve fake messages on its own.
They added that through direct communication channels with LayerZero that have been open since July 2024, they did not provide Kelp with specific recommendations to change the rsETH DVN configuration.
Sources told CoinDesk that LayerZero’s own quick start guide and default GitHub configuration point to the 1/1 DVN setup, adding that 40% of protocols on LayerZero currently use the same configuration.
The configuration Kelp runs is also present in LayerZero’s own V2 OApp quickstart, where the sample layerzero.config.ts uses a required DVN to connect each path, and no optional DVN. This is the same 1/1 structure.
They added that Kelp’s core restaking contract was not affected and the vulnerability was isolated to the bridging layer. Its emergency pause came after 46 minutes of exhaustion, blocking two subsequent attempts that would have released approximately $200 million in additional rsETH.
CoinDesk reached out to LayerZero for comment but had not received a response as of press time.
“Purchase of responsibility”
Security researchers also don’t trust LayerZero’s siled framework, which puts the blame on Kelp.
Kelp is a fluid reinfusion protocol. Its core capabilities are staking infrastructure, EigenLayer integration, and liquid staking token management. When integrating with LayerZero, Kelp relied on LayerZero’s documentation, default settings, and the team’s guidance to make configuration decisions, sources said.
Yearn Finance core team developer Artem K (widely known as @banteg on
The deployment also exposed a public endpoint that leaked the configured server list to anyone querying it.
Banteg noted in his analysis that he couldn’t prove which configuration Kelp used, but noted that LayerZero typically requires new operators to use its default settings, something its postmortem criticized.
Chainlink community manager Zach Rynes has been outspoken in blaming X, claiming that LayerZero is “shifting the blame” because its infrastructure is compromised, and accusing the company of throwing Kelp under the bus because it trusts the setup that LayerZero itself supports.
As a result, LayerZero said it will no longer sign messages for any application running a single authenticator setup, forcing a protocol-wide migration.
In a statement Monday afternoon from The team added that it has been running on LayerZero infrastructure since January 2024 and has been in close communication with the LayerZero team, including during L2 expansion, and it said the default configuration has been clearly confirmed as appropriate. “Creating a shared and accurate record of what happened is fundamental to working together to make the right fix,” the team wrote in the post.
Co-founder Bryan Pellegrino said in a post on X (formerly Twitter) that the team behind LayerZero is working to “harden the security of the application across all possible vectors.” He said the initial investigation has been “largely resolved” and the team will issue additional updates soon.
Read more: ‘DeFi is dead’: Biggest hack of year exposes contagion risks, sending crypto community into chaos
Update (April 20, 2026 21:27 UTC): Add Kelp DAO statement.
Update (April 20, 2026 21:45 UTC): Add LayerZero statement.
