A major blame game has erupted between LayerZero and KelpDAO following the $290 million exploit of rsETH on April 18, 2026.
In a detailed post-mortem, LayerZero stated the attack was carried out by a sophisticated state actor (likely DPRK’s Lazarus Group / TraderTraitor) through RPC poisoning of their DVN infrastructure. However, they emphasized that the incident was isolated entirely to KelpDAO because Kelp used a 1-of-1 (single-DVN) configuration — directly against LayerZero’s repeated recommendations for multi-DVN redundancy.
KelpDAO and many community members pushed back hard, accusing LayerZero of shifting blame and failing operationally since their own DVN signed forged messages. Critics argue that allowing 1/1 setups on a protocol handling hundreds of millions was irresponsible.
Lesson for ONFA community: Cross-chain bridges remain high-risk. Always verify security configurations (multi-DVN, redundancy) and never rely on a single point of failure — even if it’s the official recommendation of the protocol itself. #DYOR and stay safe!
