Kelp DAO claims LayerZero’s 'default' settings are what actually caused the massive $290 million disaster

Kelp DAO attributes a $290 million exploit to LayerZero's default infrastructure settings rather than its own protocol failure. The liquid restaking platform claims the compromised verifier was LayerZero's own system running the platform's standard onboarding configuration, shifting responsibility for the security breach.

The $290 million exploit affecting Kelp DAO represents a critical failure in cross-chain infrastructure security, with implications extending far beyond a single protocol. Kelp DAO's assertion that LayerZero's default settings caused the compromise raises fundamental questions about how security responsibilities are distributed between infrastructure providers and applications built atop them. When protocols offer 'default' configurations that create exploitable vulnerabilities, the accountability becomes murky—developers may assume defaults are secure, while infrastructure providers may view customization as the user's responsibility.

This incident reflects broader tensions in the DeFi ecosystem between rapid deployment and security rigor. LayerZero's omnichain messaging protocol has become foundational infrastructure for multiple protocols, making its security posture a systemic concern. If default settings can facilitate $290 million thefts, it suggests either inadequate testing before release or insufficient guidance on hardening configurations. The pattern of blaming defaults rather than examining why a verifier was compromised in the first place points to potential architectural weaknesses in LayerZero's infrastructure.

For the ecosystem, this creates a chilling effect on cross-chain composability adoption. Projects must now scrutinize not just their own code but every layer of underlying infrastructure, significantly increasing the security burden. Investors in liquid restaking protocols face renewed uncertainty about counterparty risks associated with bridge and messaging layer providers. The incident will likely accelerate interest in competing omnichain solutions and may prompt regulatory scrutiny into whether infrastructure providers bear responsibility for preventable exploits stemming from inadequate default configurations.

• →Kelp DAO attributes the $290M exploit to LayerZero's default infrastructure settings rather than protocol-level failures
• →The compromised verifier was LayerZero's own system running standard onboarding configurations
• →Accountability confusion between infrastructure providers and applications increases systemic DeFi risk
• →Default security settings in foundational infrastructure create cascading vulnerabilities across dependent protocols
• →The incident may accelerate migration toward competing cross-chain solutions with stronger security models