Kelp DAO vs LayerZero: The $300M Bridge Hack Fallout Explained

In the wake of a devastating $300 million bridge exploit on April 18, 2025, involving rsETH tokens, Kelp DAO has fired back at LayerZero with a detailed rebuttal. The DAO accuses the cross-chain messaging firm of shifting blame onto users, while announcing a strategic migration from LayerZero's OFT standard to Chainlink's Cross-Chain Token (CCT) standard. This Q&A breaks down the incident, the accusations, and what it means for the DeFi ecosystem.

What exactly happened during the $300M bridge hack?

On April 18, 2025, a sophisticated exploit targeted the rsETH bridge, resulting in the theft of approximately $300 million in user funds. The attack exploited a vulnerability in the cross-chain messaging layer, allowing the attacker to bypass security checks and drain liquidity pools across multiple chains. Kelp DAO, the protocol behind rsETH, immediately paused operations and launched an investigation. While the specific technical flaw has not been fully disclosed, initial reports suggested that the exploit involved a reentrancy-like attack on the bridge's validation logic. The incident sent shockwaves through the DeFi community, raising fresh concerns about the security of cross-chain infrastructure and the reliance on third-party messaging protocols like LayerZero.

Kelp DAO vs LayerZero: The $300M Bridge Hack Fallout Explained — Source: thedefiant.io

Why does Kelp DAO accuse LayerZero of deflecting blame?

According to Kelp DAO's official rebuttal, published on June 11, 2025, LayerZero attempted to shift responsibility for the hack onto the DAO's own operational practices. Kelp DAO claims that LayerZero's post-incident report downplayed the role of a known vulnerability in LayerZero's own OFT (Omnichain Fungible Token) standard, instead highlighting minor configuration errors on Kelp's side. The DAO argues that LayerZero's narrative was designed to protect its reputation at the expense of its users. Kelp further stated that it possesses evidence—including transaction logs and internal communications—showing that LayerZero had been aware of the potential flaw weeks before the attack but failed to issue a timely warning or patch. This accusation has deepened the rift between the two projects and fueled debates about accountability in cross-chain security.

What is the OFT standard, and why did Kelp DAO initially choose it?

The OFT (Omnichain Fungible Token) standard is a token framework developed by LayerZero that allows a single token contract to exist seamlessly across multiple blockchains without traditional wrapping or minting. Kelp DAO originally adopted OFT for rsETH because it offered gas efficiency, instant liquidity, and a unified user experience across chains like Ethereum, Arbitrum, and Optimism. However, the recent hack revealed a critical weakness: if the OFT's internal messaging protocol is compromised, all connected chain states can be manipulated simultaneously. This centralized trust model contrasts with more decentralized approaches like Chainlink's CCT, where each chain maintains independent token contracts linked by oracles. The incident has prompted many projects to reconsider their reliance on OFT, especially after Kelp's public migration announcement.

How does Chainlink's Cross-Chain Token (CCT) standard differ from LayerZero's OFT?

Chainlink's CCT standard uses a different security architecture. Instead of a single omnichain token contract, CCT deploys separate native token contracts on each chain. Cross-chain transfers are executed by burning tokens on the source chain and minting them on the destination chain, orchestrated by Chainlink's decentralized oracle network (DON). This means no single point of failure can compromise all chains simultaneously. In contrast, LayerZero's OFT relies on a single global contract that updates state across all chains via LayerZero's messaging protocol. While OFT is more gas-efficient and simpler to deploy, it creates a larger attack surface. Kelp DAO's decision to migrate reflects a preference for the added resilience of independent chain contracts, even at the cost of higher complexity and gas fees.

What specific steps is Kelp DAO taking after the hack?

In the aftermath of the exploit, Kelp DAO has implemented several measures: first, it froze all rsETH operations on affected chains and launched a security audit with three independent firms. Second, it is working with law enforcement and blockchain analytics companies to trace the stolen funds. Third, the DAO has committed to fully reimbursing affected users from its treasury and insurance reserves. Most notably, Kelp announced on June 10 that it will migrate rsETH from LayerZero's OFT standard to Chainlink's CCT standard. This migration involves deploying new token contracts on each supported chain, migrating liquidity, and updating all dApp integrations. The process is expected to take 4–6 weeks, during which users' funds will be temporarily locked. The DAO's strong stance against LayerZero has also prompted a governance vote proposing legal action for damages.

What does this incident mean for the future of cross-chain interoperability?

The $300M hack has sent a clear signal to the DeFi industry: the trade-off between efficiency and security in cross-chain bridges is still unresolved. Many projects will likely accelerate their shift away from centralized messaging protocols toward more decentralized oracle-based solutions like Chainlink CCT or threshold signature schemes. The incident also highlights the need for mandatory security audits and real-time monitoring of cross-chain transactions. LayerZero's reputation has taken a significant hit, and its response will be closely watched. Regulators may also take notice, potentially introducing new requirements for bridge operators to maintain insurance funds or formal liability frameworks. Ultimately, the hack may accelerate innovation in trustless bridging methods, such as zero-knowledge proofs or atomic swaps, to reduce reliance on any single intermediary.

How are users reacting to the Kelp-LayerZero dispute?

Community reaction has been polarized. Many rsETH holders support Kelp DAO's decision to migrate and its transparency in publishing the rebuttal, viewing it as taking responsibility. Others, however, criticize the DAO for initially relying on LayerZero without deeper due diligence. On social media, the hashtag #BlameLayerZero trended briefly, with users sharing stories of lost funds. Meanwhile, some DeFi analysts argue that both parties share blame—LayerZero for the underlying vulnerability and Kelp for not implementing fail-safes. The incident has also sparked broader conversations about user education and the need for standardized insurance in cross-chain protocols. Several DeFi insurance protocols have reported a surge in queries about coverage for bridge hacks, and Kelp DAO is reportedly in talks to integrate a dedicated insurance pool for future rsETH operations.

Tags: