Kelp DAO, which provides services in the field of decentralized finance, announced that it has made an infrastructure change for its liquid reinvested token rsETH. With the new decision announced on May 5, the platform stated that it started to move the rsETH bridge, which previously worked via LayerZero’s OFT (Omnichain Fungible Token) standard, to Chainlink’s CCIP (Cross-Chain Interoperability Protocol) infrastructure. The reason behind this decision was a large-scale cyber attack on April 18, in which LayerZero’s infrastructure was targeted and 116,500 rsETH was stolen from the Kelp DAO. It was stated that the attack caused a total loss of approximately 292 million dollars.
Security issue with LayerZero
This attack on the Kelp DAO caused the loss of 18 percent of the rsETH supply in a short time. According to blockchain analysis company Chainalysis, the attackers took over the internal network points controlled by LayerZero Labs and removed a large amount of tokens from the system by directing traffic to the nodes they took over with the DDoS method. At that time, only a single authenticator was used to secure the bridge. Thanks to this structure, one forged signature led to the undeserved release of tokens on the opposing network.
After the attack, LayerZero claimed that its single validator model was against its standards. However, Kelp DAO shared correspondence with the LayerZero team, showing that LayerZero both accepted and approved this structure. It was noted that in the screenshots published by Kelp DAO on Telegram, there were messages from the LayerZero team saying “default settings can be used”.
After the last attack, we started taking steps to make rsETH completely secure, which is why we are moving to Chainlink CCIP. In the incident on April 18, $300 million in losses occurred across DeFi due to the seizure of LayerZero’s own infrastructure.
According to reports, at that time, 47 percent of active smart contracts on LayerZero were working with a single validator. LayerZero began changing this configuration and requiring all applications to migrate to the new security standards.
Why was Chainlink CCIP preferred?
Kelp DAO is activating Chainlink’s CCIP infrastructure to prevent security vulnerabilities in the new period. According to Chainlink co-founder Sergey Nazarov, the CCIP architecture differs from competing bridges in three main ways: the use of three independent oracle networks for each transaction lane, a separate risk management network that works with the core protocol, and these networks being written in different languages by independent teams. Thus, even if there is a vulnerability in a single component, it is prevented from spreading to other systems.
While CCIP provides secure transfers between various blockchain networks, it aims to prevent similar attacks with multi-layer verification processes. The fact that the platform has not experienced any major losses that were reflected in the public to date also influenced this choice.
Even if you can crack a particular codebase, you cannot port the vulnerability to another codebase. In this way, both customer diversity and secure interaction of independent codes become possible.
With Kelp DAO completely leaving LayerZero and switching to CCIP, a more flexible and security-oriented infrastructure is being built. It is emphasized that the attack occurred due to a single validator, single code base and single infrastructure operator.
Steps taken and developments after the attack
LayerZero transferred 10,000 ETH to the DeFi United recovery fund last week after the losses. Arbitrum Security Council froze 30,766 ETH in the attacker wallets. However, the legal status of these funds is still controversial. Due to North Korea-related terrorism warrants in the United States, some plaintiffs are taking legal action to seize relevant assets.
While Kelp DAO stated that the transition to CCIP offers a structural solution, LayerZero has initiated a mandatory transition to the multi-validator model in nearly half of its applications in the future. After this incident, which was recorded as the biggest DeFi attack of 2026, bridge security comes to the fore in the ecosystem.
