Kelp is pointing fingers at LayerZero over a $292 million bridge exploit linked to North Korean hackers, saying the interoperability protocol signed off on the configuration that made the attack possible. The decentralized finance project disclosed the allegation days after moving its rsETH token from LayerZero's 'OFT' standard to Chainlink's 'CCIP' in the wake of the theft.
What Kelp says LayerZero approved
The company claims the compromised bridge setup — a custom adapter that allowed rsETH to move between chains — was reviewed and greenlit by LayerZero's team. According to the statement, Kelp used LayerZero's OFT (Omnichain Fungible Token) framework as instructed, but the specific adapter logic contained a vulnerability that attackers later exploited. Kelp argues that LayerZero's approval process should have caught the flaw before it went live.
LayerZero has not publicly responded to the allegation. The hack, which drained $292 million in crypto assets, was attributed by blockchain security firms to North Korean state-linked hackers. The attackers drained liquidity pools tied to the rsETH bridge in what investigators described as a sophisticated multi-chain heist.
Why the migration matters
Following the theft, Kelp migrated rsETH from LayerZero's OFT standard to Chainlink's Cross-Chain Interoperability Protocol (CCIP). The move effectively cuts ties with the protocol Kelp now blames for the vulnerability. For users, the shift means rsETH holders will rely on Chainlink's infrastructure for cross-chain transfers going forward. Chainlink's CCIP uses a different security model, including a decentralized oracle network and a risk management network that can pause transfers during suspicious activity.
The migration itself did not reverse the stolen funds. Kelp has said it is working with law enforcement and security firms to track the assets, but the North Korean connection has complicated recovery efforts. The U.S. government has previously sanctioned wallets linked to the Lazarus Group, the hacking unit often tied to such attacks.
Unanswered questions about liability
Kelp's claim raises a broader question for the DeFi industry: who bears responsibility when a third-party protocol approves a setup that later gets hacked? LayerZero's OFT standard is widely used — it lets tokens operate seamlessly across multiple blockchains. Projects that adopt it typically rely on LayerZero's security audits and approval process. If a flaw slips through, the project may argue it followed the rules, while the protocol might say the project customized the setup beyond what was certified.
No legal precedent exists for such a dispute in the decentralized finance space. Kelp has not said whether it will seek legal action. The company's next step appears to be continuing the migration and trying to recover what it can. For now, the $292 million hole remains open, and the hackers — presumed to be in North Korea — have not moved the stolen funds.
