Crypto Community Slams LayerZero: More Verifiers Won’t Stop The Next $290M Hack

LayerZero faces backlash over its response to the $290 million KelpDAO exploit, with the crypto community criticizing the protocol for shifting blame to KelpDAO's single-verifier configuration rather than addressing fundamental vulnerabilities in its own DVN infrastructure and RPC dependency.

The KelpDAO hack exposes a critical vulnerability in LayerZero's cross-chain security model that extends beyond configuration choices. While LayerZero attributed the attack to North Korea's Lazarus Group compromising RPC infrastructure, the community's pushback reveals a systemic design flaw: the protocol allowed customers to select dangerously insecure setups without adequate safeguards or defaults. This mirrors classic infrastructure failures where manufacturers blame users for purchasing unsafe configurations rather than engineering security into the baseline product.

The deeper problem LayerZero hasn't addressed is the centralized dependency on a small number of RPC providers. Multiple analysts note that even multi-DVN setups collapse into single-point-of-failure scenarios when all verifiers read from the same three to five RPC endpoints, typically clustered on AWS or GCP. When an attacker poisons these upstream nodes, mathematically five independent verifiers become five identical failures. This architectural vulnerability affects the entire cross-chain interoperability landscape, not just KelpDAO.

LayerZero's proposed solution—migrating applications to multi-DVN configurations—treats a symptom rather than the disease. The community correctly identifies that the protocol needs verifiers running independent full nodes across different client software, cloud providers, and network topologies. Without this decentralization at the infrastructure layer, the 'M-of-N security' model remains marketing rather than engineering. The $290 million loss suggests the crypto industry underestimated how quickly centralized RPC infrastructure could undermine supposedly decentralized protocols. Projects must audit their upstream dependencies before adopting cross-chain bridges.

• →LayerZero blamed KelpDAO's 1-of-1 verifier choice for the $290M hack, but critics argue the protocol enabled this insecure configuration in the first place.
• →Multiple DVN verifiers provide false security if they all depend on the same compromised RPC infrastructure, collapsing multi-verifier setups to single-point-of-failure.
• →The attack required poisoning RPC nodes and using DDoS to force failover, exposing that LayerZero's security relies on third-party infrastructure outside its control.
• →Recommended fix requires verifiers to run independent full nodes on different clients, clouds, and networks—a fundamental redesign LayerZero hasn't proposed.
• →This incident is the largest DeFi hack of 2026 and signals systemic risks in cross-chain bridges that migrate to multi-DVN configurations won't solve.