KelpDAO Abandons LayerZero for Chainlink After $292M rsETH Hack

KelpDAO is shifting from LayerZero to Chainlink's cross-chain infrastructure following a $292 million exploit of its rsETH token. The move reflects a broader industry pivot toward established, audited solutions over newer protocols, even as a $71 million legal dispute between the two parties continues.

The exploit centered on a 1-of-1 validator configuration on the cross-chain bridge. According to KelpDAO, LayerZero approved this single-validator design, which created a critical vulnerability. A single validator controlled message verification across chains, eliminating redundancy or checks that might have caught malicious activity.

LayerZero's position in the lawsuit suggests the protocol may argue that KelpDAO bore responsibility for customizing security beyond defaults or implementing additional protective layers. Both parties dispute the exploit's root cause, with KelpDAO contending that LayerZero's default infrastructure setup and approval of the risky configuration bear responsibility.

The incident adds to a troubling track record for cross-chain bridges. The Ronin Bridge hack in 2022 cost $625 million, while the Poly Network exploit in 2021 drained $611 million. These repeated breaches have exposed fundamental vulnerabilities in how protocols move assets across blockchains. LayerZero itself has faced ongoing criticism over its security model and default configurations, with security researchers flagging risks in its approach to message validation.

Chainlink's Cross-Chain Interoperability Protocol (CCIP) uses a different architectural approach. Rather than relying on a single validator, CCIP employs multiple independent validators and oracle networks, backed by Chainlink's institutional reputation and extensive audits. The protocol is positioned as battle-tested and suitable for moving high-value assets across chains, though it may trade off some speed or cost efficiency compared to lighter-weight solutions like LayerZero.

KelpDAO's migration signals a broader industry shift toward established, heavily audited cross-chain solutions over newer, more experimental protocols. Developers and protocols are increasingly prioritizing proven security models over novel approaches, even if the latter offer better performance metrics. The $292 million loss provides a costly lesson in the dangers of default configurations in critical infrastructure.

The $71 million court dispute between KelpDAO and LayerZero remains unresolved. If courts find LayerZero responsible for approving the vulnerable setup, it could force broader changes in how bridge protocols handle default configurations and security validation. Conversely, if KelpDAO is found liable for insufficient due diligence, it may shift responsibility back to protocols deploying on cross-chain infrastructure.

For the broader market, the KelpDAO exploit reinforces that cross-chain infrastructure remains a high-risk component of multi-chain strategies. Protocols moving significant liquidity across chains face a difficult choice between newer, faster solutions with less battle-testing and established alternatives that prioritize security over speed. KelpDAO's decision to migrate to Chainlink reflects that calculus: when $292 million is at stake, institutional credibility and proven security matter more than performance optimizations.