LayerZero issued a public apology Thursday for how it handled the April 18 exploit that drained about $292 million from Kelp DAO's rsETH bridge. The cross-chain messaging protocol admitted it should never have let its own validator operate as the sole verifier for high-value transactions.
Why the exploit happened
The attack targeted the rsETH bridge, a system that moves tokens between blockchains. LayerZero's validator was the only entity checking the validity of transactions. That single point of failure let the attacker siphon off nearly $300 million before anyone could stop it.
LayerZero's admission
In a blog post, the company conceded the mistake bluntly. “We should not have allowed our own validator to be the sole verifier on such a high-value bridge,” the team wrote. The apology came weeks after the incident, suggesting internal review took time. LayerZero did not name the specific validator or explain why the setup existed.
Kelp DAO has not publicly commented on the apology. The stolen funds remain unrecovered. LayerZero's post offered no timeline for changes to its verification system, leaving users to question whether similar setups still exist on other bridges it powers.
The company's apology did not detail what concrete steps it would take to prevent a repeat. For now, the $292 million hole in rsETH's liquidity is a stark reminder of what happens when trust replaces redundancy in blockchain infrastructure.
