LayerZero Blames KelpDAO Security Configuration, Crypto Community Questions Its Shifting Responsibility

BroadChain has learned that at 18:16 on April 21, according to NewsBTC, the omnichain interoperability protocol LayerZero is facing fierce criticism for its response to the recent $290 million KelpDAO attack. The protocol attributed the incident to the 1-of-1 validator configuration adopted by KelpDAO, describing the "highly sophisticated attack" carried out by the North Korean Lazarus Group as an attack on crypto infrastructure rather than a protocol vulnerability, and emphasized "zero contagion to other cross-chain assets or applications." LayerZero explained that its protocol is built on a modular, application-configurable security foundation, using a Decentralized Validator Network (DVN) to verify the integrity of cross-chain messages; the attacker poisoned downstream RPCs by "compromising the majority of the RPC infrastructure relied upon by LayerZero Labs' DVN," forged messages, and triggered the DVN to confirm fraudulent transactions. Based on this, LayerZero placed the blame on KelpDAO for not adopting its recommended multi-DVN configuration. The crypto community expressed strong dissatisfaction with this, criticizing LayerZero for lacking accountability and completely shifting responsibility to the client's security settings as "classic clown behavior." They also questioned why the protocol itself allows a "1-of-1" configuration option if DVNs are intended to provide customizable/modular security, arguing that this is a fundamental design flaw. Analyst The Smart Ape further pointed out that LayerZero's diagnosis and solution are both incorrect, as increasing the number of validators cannot prevent the next massive attack, since all DVNs read chain states from the same small group of RPC providers (mostly concentrated on AWS or GCP); if multiple "independent" DVNs read data from the same three RPC providers, an attacker could poison all three RPCs simultaneously to deceive all validators. He suggested that the fundamental solution is for each validator to run its own full node on different client software, hosted on different cloud providers, maintained by different operational teams, and peer with different subsets of the Ethereum network, until the upstream topology of DVNs can be audited. Otherwise, "M-of-N security" is merely marketing jargon. On April 18, Lazarus did not crack cryptography; they simply breached three servers.