A forensic report published Monday by LayerZero Labs, in collaboration with Mandiant, CrowdStrike, and zeroShadow, claims the KelpDAO bridge was quietly downgraded from a 2-of-2 to a 1-of-1 multi-signature configuration shortly before hackers walked away with $292 million in digital assets on April 18.
What the forensic report found
The report details how KelpDAO's Decentralized Verifier Network (DVN) setup – a system meant to require two independent signatures for transactions – was reduced to just one signer. That single point of failure, investigators say, is what made the massive theft possible. The change happened ahead of the exploit, but the report doesn't specify exactly when or who authorized it.
The investigation was jointly conducted by LayerZero Labs, the blockchain interoperability firm behind the bridge protocol, along with cybersecurity firms Mandiant and CrowdStrike, and blockchain analytics shop zeroShadow. The report is billed as the first comprehensive look at how the bridge's security model was compromised.
A single signer instead of two
KelpDAO's bridge originally operated with a 2-of-2 DVN configuration, meaning any transaction needed approval from two independent verifiers. The forensic analysis shows that configuration was altered to 1-of-1, effectively removing the second check. That left the entire system reliant on a single private key.
The report does not name any individuals or entities responsible for the downgrade. It also doesn't say whether the private key was stolen, leaked, or abused internally. What it does say is that the change was made before the exploit and that the attackers leveraged the weakened setup to drain funds.
Who was involved in the investigation
LayerZero Labs, which provides the bridge infrastructure that KelpDAO used, brought in Mandiant and CrowdStrike – firms more often associated with state hacking and corporate breaches – to dig into the incident. Blockchain forensics firm zeroShadow tracked the stolen funds on-chain.
The collaboration between traditional cyber incident responders and blockchain specialists is still relatively rare in the crypto world. The report suggests that this combined approach was key to tracing the configuration change back to its source, though the exact timeline remains under review.
What happens next
The report is now public, but the investigation is not closed. LayerZero Labs said it continues to work with law enforcement and security partners. $292 million in assets remain unaccounted for, and no arrests have been announced. The crypto security community will likely pore over the report's technical details in the coming weeks, looking for lessons on how to prevent similar downgrade attacks on other bridges.
