LayerZero acknowledged on Friday, U.S. time, that it had “made a mistake” by allowing its verification infrastructure to secure high-value cryptocurrency assets in a precarious setup. This admission marks a significant change in their narrative after weeks of attributing blame to developer Kelp DAO for the $292 million hack linked to North Korean cybercriminals.
This acknowledgment signifies a departure from the ongoing public dispute between LayerZero and Kelp regarding accountability for the April breach, which LayerZero initially characterized as an application-level configuration error on Kelp’s part.
“First things first: we owe an overdue apology,” LayerZero stated in a blog post released on Friday.
Initially, LayerZero held Kelp responsible, claiming that the protocol opted for a risky “1-of-1” configuration where only one decentralized verifier network (DVN) was required to authorize cross-chain transfers—creating a single point of failure. A DVN is crucial infrastructure that verifies whether transactions transferring assets across blockchains are legitimate.
“We made an error by permitting our DVN to function as a 1/1 DVN for high-value transactions,” the company admitted. “We failed to monitor what our DVN was securing, which introduced risks we did not foresee. We take full responsibility.”
In response, LayerZero Labs announced that its DVNs will no longer support 1/1 configurations. Furthermore, “all defaults across all pathways are being transitioned to 5/5 wherever feasible and no less than 3/3 on any chain with only three available DVNs,” according to their blog post.
Cross-chain bridges serve as digital transfer mechanisms between distinct blockchain networks but have long been recognized as some of crypto’s most vulnerable infrastructures.
LayerZero emphasized that its core protocol remained uncompromised and reiterated that developers bear ultimate responsibility for establishing their own security protocols.
<p“The underlying LayerZero protocol was unaffected,” they clarified while attributing the exploit to an attack targeting internal RPC infrastructure utilized by the LayerZero Labs' DVN during simultaneous distributed denial-of-service attacks against external RPC providers.
Additonally, three and half years ago one of its signers used their multisig hardware wallet for personal trading instead of utilizing their individual hardware wallet. The company is taking measures against such actions stating clearly “This is obviously not acceptable.”
“This signer has been removed from multisig responsibilities; wallets have been rotated; we’ve since enhanced our security practices concerning signing devices with localized anomaly detection software installed on each device along with developing OneSig—a custom-built multisig solution.”
The fallout has prompted competitors like Chainlink to capitalize on this situation by attracting business from protocols reassessing their security providers.
Kelp has already transitioned its rsETH bridge over to Chainlink’s competing Cross-Chain Interoperability Protocol while Solv Protocol announced this week it would be migrating more than $700 million worth of tokenized bitcoin infrastructure away from LayerZero following recent security evaluations.
FAQ
- What mistake did LayerZero admit?
Layer Zero admitted they allowed their verification system (DVN) configuration meant for high-value transactions which created vulnerabilities leading up to hacks. - How much money was lost in the hack?
The hack resulted in losses amounting up $292 million. - If there were issues with security practices at Layer Zero?
Yes, they acknowledged shortcomings related specifically towards monitoring what assets were secured under certain configurations. - Please explain what changes are being implemented?
They will discontinue supporting risky configurations like 1/1 setups moving forward while transitioning defaults towards safer models such as 5/5 or at least maintaining minimal thresholds based upon available resources. - DID other companies respond positively toward these developments?
Yes! Competitors including Chainlink took advantage of this situation prompting others like Solv Protocol also reevaluating partnerships shifting away from using services provided by them altogether due concerns raised about safety standards involved within those systems respectively!