KelpDAO Bridge Exploit: Critical Security Downgrade Exposed $292M Loss
Breaking: Bridge Security Downgrade Preceded $292M Exploit
A new forensic report reveals that KelpDAO's bridge was downgraded from a secure 2-of-2 multi-signature configuration to a vulnerable 1-of-1 setup hours before the $292 million exploit on April 18.
The report, jointly produced by LayerZero Labs, Mandiant, CrowdStrike, and zeroShadow, was released Sunday and contains previously undisclosed details about the pre-attack configuration.
"This was a catastrophic failure in operational security," said a LayerZero spokesperson. "The downgrade effectively removed all redundancy and left the bridge exposed to a single point of failure."
KelpDAO, a liquid staking protocol, lost nearly $300 million in the attack. The exploit targeted its cross-chain bridge, which relied on LayerZero's Decentralized Verifier Network (DVN) for validation.
According to the report, the bridge's DVN was briefly reduced from requiring two independent validators to just one—a change that eliminated the multi-signature safeguard.
Cybersecurity firm Mandiant confirmed the timeline: the downgrade occurred approximately 12 hours before the exploit. "The configuration change was not detected by existing security monitoring," noted a Mandiant analyst in the report.
ZeroShadow tracked the stolen funds to multiple addresses, with some movement to mixing services. CrowdStrike assessed the attack vector as a direct result of the weakened validation threshold.
Background: How the DVN Configuration Worked
LayerZero's DVN allows cross-chain messages to be verified by multiple independent nodes. A 2-of-2 setup required two separate verifiers to approve any transaction—a standard security practice for high-value bridges.
KelpDAO had originally configured its bridge with two DVN operators. The downgrade to 1-of-1 meant any single verifier could authorize a transaction, drastically lowering the barrier for malicious activity.
The report does not identify who initiated the downgrade. LayerZero Labs said it is cooperating with law enforcement to trace the authorization.
What This Means for Cross-Chain Security
This incident underscores the critical importance of immutable multi-signature configurations for bridge protocols. Even a temporary reduction in validation requirements can expose billions in locked value.
"Projects must treat their security settings as non-negotiable," said a representative from CrowdStrike. "Any change to threshold parameters should trigger immediate alerts and require multi-party approval."
The exploit also raises questions about governance over bridge security. If a single entity or compromised key can alter verification settings, the entire system is at risk.
LayerZero has since implemented additional monitoring for DVN configuration changes. The company advises all projects using its infrastructure to set immutable security parameters with on-chain timelocks.
The $292 million loss is one of the largest bridge exploits in 2024. It serves as a stark reminder that security misconfigurations can be as damaging as smart contract vulnerabilities.
KelpDAO has not yet announced a recovery plan. The stolen funds remain largely untraced.
For more details, see the full report from The Defiant.