The company LayerZero Labs published an open letter admitting to communication and internal system failures after the KelpDAO hack.
LayerZero emphasized that the protocol’s infrastructure itself was not affected. However, the attack impacted the company’s internal systems, forcing the company to admit there were issues with incident response and user communication.
The apology letter was published by LayerZero Labs on May 8, 2026.
LayerZero Admits Multisig Issues After Lazarus Attack
Around April 19, 2026, the hacker group Lazarus Group attacked the internal RPC nodes of LayerZero Labs, which were used in the DVN network. The hackers disrupted the operation of internal RPC services and simultaneously launched a DDoS attack on the company’s external RPC provider.
LayerZero stated that the protocol itself was not harmed during the attack.
As previously reported, the hack affected only one application. That is about 0.14% of all applications in the LayerZero ecosystem and about 0.36% of the total assets passing through the platform’s bridges. Due to the attack, KelpDAO lost about $300 million in the rsETH exploit.
In the apology letter, LayerZero also addressed another incident that happened about three and a half years ago. At that time, one participant used the company’s multisig wallet for personal trading of the meme coins McPepes on Uniswap.
After this, the company replaced one of the signers, changed wallets, and added new security measures to prevent this from happening again.
See also: Solana Strengthens Quantum Threat Protection, Ethereum L2 Faces Criticism
The problem is that this contradicted earlier statements by LayerZero cofounder Bryan Pellegrino. Less than a day before the admission, he called such operations ordinary OFT testing.
Users quickly noticed inconsistencies. According to them, meme coins from these transactions had already regularly appeared in the activity of the same multisig wallet.
Later, LayerZero clarified that their multisig system only allows management of Endpoint functions, including adding new networks and updating default parameters.
LayerZero Urges Developers to Take Security More Seriously
LayerZero again reminded that the project was originally designed to avoid a single point of failure, which is common in regular blockchain bridges. The company emphasized that each application can independently configure its own security system and does not have to rely entirely on LayerZero Labs.
After the attack, the team also released recommendations for developers. LayerZero advises strictly fixing all configurations, rather than using default settings controlled by the company itself. In addition, developers are advised to increase the number of block confirmations to reduce the risk of network reorganization and to configure DVN with at least two independent participants, preferably three to five. LayerZero believes that large projects should ideally run their own DVN nodes.
See also: Crypto Cards Reach $600 Million a Month, TRON Takes Third of Market
LayerZero also explained how the current trust models inside the system are structured. For example, standard applications and DVN configurations with one validator essentially depend on multisig LayerZero Labs. At the same time, gas sending and transaction execution services only affect network availability, not asset security.
After the attack, LayerZero stopped supporting DVN 1/1 schemes. Now standard settings are being switched to 3/3 or 5/5 schemes, where confirmation is done through several independent participants at once. At the same time, LayerZero is developing a new DVN client in Rust.
DeFi Consequences After the LayerZero Hack
After the attack, LayerZero faced criticism from the crypto community. Many did not like that in the first days the company tried to partially shift responsibility to partners.
After the incident, KelpDAO and Solv Protocol have already migrated their systems to Chainlink. Several other major projects, including Beefy, Ethena, BitGo and Lombard, have started to reconsider their cooperation with LayerZero.
Amid the scandal, there were concerns that transfer volumes through LayerZero bridges could decrease. Stargate’s revenues and the ZRO token buyback program were also at risk.
To mitigate the consequences of the attack, LayerZero Labs promised to allocate 5,000 ETH as part of the DeFi United rescue plan, and another 5,000 ETH to support Aave liquidity pools.
But even after the apologies, the story again raised the issue of cross-chain protocol security. Currently, LayerZero uses a multisig 7/10 scheme via the OneSig system.
The company continues to insist that the protocol remains a reliable tool for large-scale cross-network transfers. However, the final market reaction will only become clear in a few weeks, when it will be known how many projects will continue to work with LayerZero.
