Kelp Accuses LayerZero in $292M Bridge Exploit
Kelp has formally claimed that LayerZero approved the omnichain token setup that led to the $292 million exploit it suffered earlier this year. The accusation shifts the narrative from a protocol vulnerability to a question of governance and security review at the cross-chain messaging layer itself. According to a Coindesk report, Kelp’s internal investigation concluded that the OFT (Omnichain Fungible Token) configuration blamed for the hack had been explicitly greenlit by LayerZero before deployment.
The $292 million loss, linked to North Korean state-affiliated hackers by multiple blockchain intelligence firms, was one of the largest bridge exploits in recent memory. Kelp’s rsETH token was central to the attack, and the fallout triggered a liquidity scramble across several restaking protocols. The accusation now places LayerZero in an uncomfortable spot — not as a neutral infrastructure provider, but as an active participant in the security architecture that failed. KelpDAO’s earlier $280M stress test had already highlighted the fragility of such cross-chain dependencies, and this new claim pushes the conversation beyond code into accountability.
Migration to Chainlink CCIP Marks a Security Pivot
Rather than continuing to patch the broken relationship, Kelp has moved its rsETH off LayerZero’s OFT standard entirely. The protocol announced it will use Chainlink’s Cross-Chain Interoperability Protocol (CCIP) as the new standard for its wrapped assets. The migration is not just symbolic — it represents a vote of no confidence in LayerZero’s security model and a bet that Chainlink’s decentralized oracle networks and risk management network can handle the demands of large-value cross-chain transfers.
Chainlink has been quietly accumulating institutional and protocol-level trust over the past year, especially after it became the exclusive bridge for Coinbase’s wrapped assets worth billions. The CCIP architecture separates message verification from token transfer risk, which appeals to protocols that have just survived a nine-figure exploit. Kelp’s shift reinforces a broader industry trend: after every major bridge failure, capital and builders migrate toward infrastructure that offers clearer separation of trust assumptions. Flow Network’s own exploit last year showed how fragile these systems can be when even a single execution layer fails.
Cross-Chain Risk Exposed Once Again
Bridge-related exploits have stolen billions in crypto over the last four years, yet the industry continues to build complex omnichain products without a unified security framework. Kelp’s situation is different because it challenges the assumption that the bridge provider’s approval means the configuration is safe. If LayerZero did approve a flawed setup, the damage spreads beyond one protocol — it weakens the credibility of every project using that standard.
The attack also exposed how restaking protocols multiply risk. Kelp’s rsETH was not a standalone asset; it was woven into EigenLayer’s restaking ecosystem, meaning that a run on one derivative could trigger liquidations and contagion across other DeFi positions. That mechanics remains a ticking clock in the background, even as protocols swap out infrastructure layers. The real test of the migration to CCIP will be whether it can handle not just the volume, but the complex interactions that keep emerging in restaking and liquid staking derivatives.
North Korean State-Linked Actors Deepen Concern
Blockchain analysts traced the $292 million exploit to wallets associated with North Korean hacking groups, adding a geopolitical layer to what is already a technical disaster. This follows a pattern of state-sponsored actors using DeFi bridges as primary money-laundering conduits. The involvement of a nation-state makes it harder for protocols to rely solely on bug bounties and post-mortem patches. The threat model changes when the adversary operates with near-unlimited patience and resources.
North Korean hackers may have already infiltrated up to 20% of crypto companies, according to a study by the Security Alliance, a figure that puts Kelp’s hack into a chilling context. Infrastructure approval processes that don’t account for advanced persistent threats are no longer adequate. Kelp’s accusation suggests that even when a protocol follows the standard procedure with a trusted partner, the result can still be catastrophic if the review process is not designed to catch state-level manipulation.
Market and Protocol Implications
For the broader crypto market, the Kelp-LayerZero dispute raises uncomfortable questions about legal liability in decentralized infrastructure. If a protocol follows a vendor’s recommended configuration and still loses hundreds of millions, where does responsibility lie? Without clear precedent, projects will increasingly demand stronger contractual assurances from bridge providers — something that may collide with the ethos of permissionless systems.
The migration to CCIP also creates a competitive landscape where security track records become the main differentiator. Chainlink is already benefiting from this shift, and the Kelp decision will likely accelerate other projects’ evaluations. Still, no single bridge standard has been tested at the scale of trillions in notional value across all assets. The danger is that consolidation into one or two bridge layers creates a systemic point of failure that regulators will eventually notice. Kelp’s move is rational in the short term, but the industry still lacks a permanent answer to cross-chain risk.
BTCUSA Insight
Kelp turning on LayerZero is not just a post-exploit blame game — it signals that protocol developers are losing faith in the security review processes of some of crypto’s most prominent infrastructure layers. The decision to migrate to Chainlink CCIP is a market judgment that trust in a bridge isn’t just about technology, but about who stands behind it when a configuration goes wrong. Until the industry develops a verifiable, on-chain audit trail for token standard approvals, every new omnichain product will carry a hidden liability. And with state-linked hackers now regular participants in DeFi heists, the cost of getting that approval wrong is measured in hundreds of millions.
