layerzero

After KelpDAO was attacked, resulting in a loss of $292 million, the industry's scrutiny of the security of cross-chain infrastructure has intensified. Approximately $4 billion in assets have completed or are in the process of migrating from LayerZero to Chainlink's Cross-Chain Interoperability Protocol (CCIP). The DeFi protocol Lombard is the latest project to join this migration trend. The protocol announced it would discontinue the use of LayerZero and migrate over $1 billion in Bitcoin-backed assets to Chainlink CCIP, stating that this decision stemmed from a comprehensive internal security review following the April attack incident.Lombard issues two types of Bitcoin-backed tokens—LBTC and BTC.b—and will prioritize the migration of assets on chains such as Solana, Etherlink, Berachain, Corn, and TAC, while terminating the use of LayerZero on Morph and Swell. Lombard stated that the reason for choosing CCIP is its independent node operators, built-in rate limiting mechanisms, and audited infrastructure. Additionally, the protocol will adopt Chainlink's cross-chain token standard to facilitate asset cross-chain circulation through a burn-and-mint model.Previously, Kelp DAO, Solv Protocol, Re, and the cryptocurrency exchange Kraken have all completed similar migrations, with these projects collectively transferring approximately $4 billion in assets. Chainlink Labs Chief Business Officer Johann Eid stated, "We are witnessing a continued wave of risk-averse migration within the industry."

According to CoinDesk, Kraken announced that it will use Chainlink's cross-chain interoperability protocol CCIP, replacing LayerZero as the exclusive cross-chain infrastructure for its wrapped assets, covering kBTC and more wrapped assets in the future. This migration involves over $3 billion in TVL, following a $292 million LayerZero-related cross-chain attack incident that occurred in April. Kraken stated that the migration will cover networks such as Ink, Ethereum, Unichain, and Optimism. kBTC is set to launch in 2024, with a current market value of approximately $260 million. Coinbase had previously also chosen Chainlink CCIP as the sole cross-chain bridge solution for about $7 billion in wrapped tokens.

Aave stated that the first steps of the rsETH technical recovery plan have been completed, which includes the destruction of the rsETH held by the attacker on Arbitrum. In the coming days, stakeholders will gradually replenish funds to the LayerZero OFT adapter and restart rsETH-related operations in phases.Kelp previously stated that it has completed a series of rsETH endorsement recovery steps with Aave, planning to gradually inject 117,132 rsETH from the Aave Recovery Guardian and Kelp Recovery Safe into the LayerZero OFT adapter on the Ethereum mainnet.

According to analyst Tom Wan's monitoring, despite LayerZero issuing an apology statement, several protocols with a total TVL of approximately $2 billion have announced their migration to Chainlink CCIP, including KelpDAO ($1.5 billion), SolvProtocol ($600 million), and re ($200 million).Meanwhile, the top assets still using the LayerZero OFT standard include: USDe/sUSDe (Ethena), weETH (Etherfi), USDT0 (Tether), thBILL (Theo), and WBTC (Bitgo), with specific migration progress to be determined by project announcements.Previously, LayerZero formally apologized for poor communication regarding security incidents over the past three weeks. The official acknowledged that its internal RPC was attacked by the Lazarus Group and admitted to mistakenly allowing LayerZero Labs DVN to act as a 1/1 verification node for high-value transactions, leading to a single point of risk.

LayerZero Labs posted on the X platform that the internal RPC used by LayerZero Labs was attacked by the Lazarus Group in the past three weeks, resulting in the compromise of the true source of its DVN (Decentralized Verification Network), while external RPC providers faced DDOS attacks. This incident affected 0.14% of applications and approximately 0.36% of asset value.LayerZero Labs stated that asset security is currently intact, and since April 19, over $9 billion in funds have been completed across chains through the protocol. In response to security risks, LayerZero Labs has stopped providing services for its DVN in a 1/1 configuration, and all default configurations for channels will be migrated to at least a 3/3 or 5/5 multi-DVN mode.Additionally, in response to an incident three years ago where multi-signature holders mistakenly used hardware wallets for personal transactions, LayerZero Labs has removed that signer and changed wallets, while also developing a OneSig custom multi-signature system. LayerZero Labs recommends that developers lock configurations to avoid relying on default settings and plans to launch an asset management platform Console to enhance security monitoring.

According to market news, LayerZero Labs co-founder and CEO Bryan Pellegrino had a heated debate with security researchers today in the ETHSecurity Community Telegram group. The core controversy includes: since LayerZero Labs can immediately upgrade a default library contract without a time limit to forge messages (similar to the case where rsETH was hacked), the LZ OFT, valued at over $3 billion, is recently at risk of being stolen; researcher Banteg pointed out that mainstream projects like Ethena and EtherFi were still using this default library contract weeks ago, and currently, there is still $178 million worth exposed to risk, with these funds coming from projects that are still using the default library.On-chain data shows that LayerZero Labs multi-signature signers participated in non-multi-signature activities such as meme coin trading, DEX exchanges, and cross-chain bridging, which means that the multi-signature keys in the formal environment were connected to websites, increasing phishing risks. Regarding the multi-signature signers of LayerZero using production environment keys for trading activities, Bryan confirmed that the related transactions were completed by members of the multi-signature team, but denied that it was "meme coin trading," explaining it as "testing PEPE on the LZ OFT token standard," and stated that the involved member has been removed. Bryan also suggested that project parties "directly fix configurations" instead of using default configurations to reduce risks. Banteg subsequently tagged a long list of LayerZero users still using the default library contract, pointing out that these projects should migrate to fixed configurations as soon as possible.

According to market news, Solv Protocol announced the migration of over $700 million of SolvBTC and xSolvBTC from the LayerZero cross-chain bridge to Chainlink's CCIP, and the deprecation of LayerZero support on networks such as Corn, Berachain, Rootstock, and TAC.Solv stated that this move is based on the latest security review and recent cross-chain attacks, positioning CCIP as the standard cross-chain infrastructure. This migration follows Kelp DAO's shift to Chainlink after its LayerZero-based bridge suffered an attack of approximately $292 million in rsETH.

In response to KelpDAO's accusations against LayerZero regarding the rsETH security incident, LayerZero CEO Bryan Pellegrino tweeted a detailed response, stating that much of the content is completely false.Bryan pointed out that KelpDAO initially used LayerZero's default MultiDVN or DeadDVN configuration and later manually migrated to the 1/1 configuration; under the 1/1 configuration, almost 100% of the transaction volume came from rsETH; LayerZero's documentation repeatedly states that the 1/1 configuration is not recommended for production environments and provides specific transaction records and document screenshots as evidence.

Kelp DAO announced that it will migrate its re-staked token rsETH to Chainlink CCIP, stating that this move is to enhance security.Previously, the cross-chain bridge built by Kelp DAO based on LayerZero was attacked on April 18, resulting in hackers stealing approximately 116,500 rsETH, involving an amount of about $292 million, and using the related assets as collateral to borrow WETH on Aave v3. Regarding the cause of the vulnerability, LayerZero previously stated that the issue stemmed from Kelp DAO using a single DVN verification path configuration instead of multiple independent verifications. Kelp DAO responded that this configuration was the default setting and that LayerZero had confirmed its security without indicating any related risks. LayerZero CEO Bryan Pellegrino subsequently denied this claim, stating that Kelp DAO had actively modified the default multi-DVN configuration. Both parties are currently still in ongoing disputes over the attribution of responsibility.

According to The Block, after experiencing a bridge attack of approximately $292 million last month, Kelp DAO decided to abandon LayerZero and instead adopt Chainlink's cross-chain infrastructure.Kelp DAO will use the Chainlink Cross-Chain Interoperability Protocol, which requires 16 independent node operators to validate cross-chain transactions, becoming the first major protocol to leave LayerZero after the attack. During the attack, the LayerZero-driven OFT bridge used a 1-of-1 single validator configuration, with 47% of LayerZero applications using the same configuration at that time. LayerZero subsequently announced the cessation of single validator configurations.Kelp DAO stated that migrating to Chainlink CCIP directly addresses the architectural vulnerabilities in the attack. rsETH will also adopt a cross-chain token standard. As part of the DeFi United rescue operation, LayerZero has donated and lent approximately 10,000 ETH to Aave.

DeFi United announced a technical repair plan for the Kelp DAO rsETH cross-chain bridge vulnerability on Tuesday. Previously, attackers exploited a vulnerability in the LayerZero-driven Unichain to Ethereum bridge, releasing 116,500 rsETH by spoofing inbound packets, of which approximately 107,000 are currently still distributed as collateral across seven associated addresses in Aave and Compound.DeFi United stated that it has secured enough ETH commitments to restore the support for rsETH, which will be converted into rsETH in batches and injected into the bridge lock contract. LayerZero Labs pledged over 10,000 ETH on Tuesday to support the repair efforts. Regarding the liquidation of the attackers' positions, the alliance will execute controlled liquidations through Aave and Compound governance proposals, expecting to recover approximately 13,000 and 16,776 ETH, respectively.During the repair period, WETH and rsETH reserves on multiple chains will remain frozen. DeFi United also cautioned about execution risks, including governance approval progress, potential interference from attackers, and new security measures pending validation in the production environment.

LayerZero Labs announced a commitment to provide over 10,000 ETH to the DeFi United ecological rescue initiative led by Aave. This includes a donation of 5,000 ETH and an additional deposit of 5,000 ETH to enhance Aave market liquidity.

According to Onchain Lens monitoring, a wallet associated with the LayerZero team deposited 1 million ZRO into Binance, worth 1.43 million dollars. The wallet still holds 29 million ZRO, worth 41.34 million dollars, and may continue to deposit.

Ethena officially announced that the LayerZero cross-chain bridge functionality for sUSDe and USDe has been relaunched on all chains. To enhance security, Ethena has upgraded the decentralized verification network (DVN) configuration on each chain from 2/2 to 4/4, while maintaining the existing rate limit of $10 million per hour. The official statement indicated that further updates will be provided as necessary.

ether.fi posted on platform X that weETH based on the LayerZero cross-chain bridge has now been restored on all chains, and liquidity minting and redemption functions have been enabled.In terms of security, the ether team has increased the number of DVNs (Decentralized Verification Networks) from 2 to 4 and implemented stricter rate limiting mechanisms to further enhance system security. Additionally, related services will gradually resume under the guidance of security partners, and more updates will be released in the future.

ether.fi posted on platform X that, guided by security partners, it will restore the LayerZero bridging functionality for weETH and eETH within the next 24 hours.ether.fi previously confirmed that its Liquid treasury was not directly exposed to the Kelp rsETH event risk, but decided to suspend the LayerZero cross-chain bridging functionality for weETH and eETH as a precautionary measure until the root cause of the Kelp rsETH event is clarified. Meanwhile, for Liquid (ETH, BTC, USD), sETHFI, and eBTC products, the relevant Teller contracts have been suspended to block the LayerZero OFT bridging path, and the deposit and withdrawal functions for the related assets have also been suspended. They are currently working closely with security partners.

Kelp DAO officially stated in a post on X regarding the theft incident that the cause of the theft was the compromise of two RPC nodes hosted by LayerZero, while a third RPC node suffered a DDoS attack. This was an attack targeting LayerZero's infrastructure, and Kelp's own system was not involved in the construction or operation of that infrastructure.The 1/1 DVN configuration is the scheme recorded in LayerZero's documentation and is the default setting for all new OFT deployments. Kelp has been operating on LayerZero's infrastructure since January 2024 and has maintained open communication with the LayerZero team. During Kelp's expansion to Layer2, the DVN configuration issue was discussed, and at that time, the default configuration was explicitly confirmed to be appropriate. Kelp's current top priority is to safeguard user interests and prevent risks from spreading within the DeFi ecosystem. The team is collaborating with various parties within the ecosystem to analyze the impact, seek support, and explore all possible mitigation solutions.

According to CoinDesk, the liquidity re-staking protocol Kelp DAO has raised objections to LayerZero's investigation report regarding the previous $290 million rsETH bridge attack incident.Kelp DAO claims that the single-validator (1/1) configuration that led to this attack was not a choice made in disregard of recommendations, but rather the default setting in LayerZero's official guidelines, and the validator network (DVN) exploited by the attacker is part of LayerZero's own infrastructure.The attack resulted in the theft of 116,500 rsETH, worth approximately $290 million. Security researchers pointed out that LayerZero's publicly deployed code defaults to a single-source validation configuration across networks such as Ethereum, Binance Smart Chain, Polygon, Arbitrum, and Optimism.LayerZero subsequently responded that it will stop signing messages for any applications using a single-validator setup and will enforce a security migration.