LayerZero is facing one of its sharpest security challenges after researchers questioned whether default settings and multisig practices left major omnichain assets exposed to avoidable operational risk.
The debate was triggered by security researcher Banteg, who highlighted reliance on a default LayerZero library contract that could be upgraded without a timelock. Researchers said more than $3 billion in LayerZero Omnichain Fungible Tokens had depended on that structure, while about $178 million remained exposed across projects that had not moved to fixed or independently governed configurations. Major protocols including Ethena and EtherFi were cited as having used the default setup until weeks ago.
LayerZero’s OFT standard is designed to allow tokens to move across multiple blockchains while preserving a unified supply. Its security model gives developers flexibility to choose verification arrangements through Decentralised Verifier Networks, or DVNs. That flexibility has become the centre of the dispute: supporters argue it avoids a single systemic bridge failure, while critics say defaults can quietly become production infrastructure if teams do not understand the risk.
The controversy intensified because it followed the April 18 KelpDAO exploit, in which attackers drained roughly $292 million, or 116,500 rsETH, from a LayerZero-based bridge. The attack did not appear to exploit smart-contract code. Instead, it targeted off-chain verification infrastructure, using compromised internal RPC nodes and disruption of external RPC services to make a false cross-chain message appear valid to a one-of-one DVN setup.
LayerZero has said the Kelp incident affected a single application and roughly 0.36 per cent of asset value on the protocol, while maintaining that the protocol itself was not compromised. It acknowledged, however, that allowing its own DVN to act as a one-of-one verifier for high-value transactions was a mistake. The company said developers should pin configurations, avoid reliance on defaults controlled by LayerZero Labs, and use at least two DVNs, with three to five offering stronger protection.
Multisig hygiene has added another layer of scrutiny. On-chain activity reviewed by researchers indicated that production multisig signers had been connected to personal or non-governance transactions, including token swaps and cross-chain activity. LayerZero co-founder and chief executive Bryan Pellegrino said involved signers had been removed and wallets rotated, and described the disputed transactions as linked to OFT testing rather than meme-coin speculation. LayerZero later said it had strengthened signing practices, added device-level anomaly detection and developed a custom multisig system called OneSig.
Developers and security teams are now pressing for a clearer distinction between what LayerZero enables and what it should actively prevent. The company’s own integration guidance advises production applications to use more than one DVN on each pathway and to keep configurations consistent across both send and receive routes. That advice has become more consequential after the Kelp loss, because the failure mode was not visible through conventional audit checks alone.
KelpDAO’s decision to move rsETH away from LayerZero’s OFT standard towards Chainlink’s CCIP has sharpened competitive pressure in cross-chain infrastructure. Solv Protocol has also moved to Chainlink CCIP for tokenised Bitcoin exposure, adding to the perception that large DeFi projects are reassessing verifier diversity, operational monitoring and upgrade control after the exploit.
The wider issue for DeFi is whether modular security can remain developer-led when billions of dollars depend on configuration choices that may be misunderstood, inherited from examples, or left unchanged after deployment. LayerZero’s model gives applications control over their own security stack, but the backlash shows that default pathways, upgrade authority and signer practices can become reputational risks for the infrastructure provider as much as for the application developer.
The debate was triggered by security researcher Banteg, who highlighted reliance on a default LayerZero library contract that could be upgraded without a timelock. Researchers said more than $3 billion in LayerZero Omnichain Fungible Tokens had depended on that structure, while about $178 million remained exposed across projects that had not moved to fixed or independently governed configurations. Major protocols including Ethena and EtherFi were cited as having used the default setup until weeks ago.
LayerZero’s OFT standard is designed to allow tokens to move across multiple blockchains while preserving a unified supply. Its security model gives developers flexibility to choose verification arrangements through Decentralised Verifier Networks, or DVNs. That flexibility has become the centre of the dispute: supporters argue it avoids a single systemic bridge failure, while critics say defaults can quietly become production infrastructure if teams do not understand the risk.
The controversy intensified because it followed the April 18 KelpDAO exploit, in which attackers drained roughly $292 million, or 116,500 rsETH, from a LayerZero-based bridge. The attack did not appear to exploit smart-contract code. Instead, it targeted off-chain verification infrastructure, using compromised internal RPC nodes and disruption of external RPC services to make a false cross-chain message appear valid to a one-of-one DVN setup.
LayerZero has said the Kelp incident affected a single application and roughly 0.36 per cent of asset value on the protocol, while maintaining that the protocol itself was not compromised. It acknowledged, however, that allowing its own DVN to act as a one-of-one verifier for high-value transactions was a mistake. The company said developers should pin configurations, avoid reliance on defaults controlled by LayerZero Labs, and use at least two DVNs, with three to five offering stronger protection.
Multisig hygiene has added another layer of scrutiny. On-chain activity reviewed by researchers indicated that production multisig signers had been connected to personal or non-governance transactions, including token swaps and cross-chain activity. LayerZero co-founder and chief executive Bryan Pellegrino said involved signers had been removed and wallets rotated, and described the disputed transactions as linked to OFT testing rather than meme-coin speculation. LayerZero later said it had strengthened signing practices, added device-level anomaly detection and developed a custom multisig system called OneSig.
Developers and security teams are now pressing for a clearer distinction between what LayerZero enables and what it should actively prevent. The company’s own integration guidance advises production applications to use more than one DVN on each pathway and to keep configurations consistent across both send and receive routes. That advice has become more consequential after the Kelp loss, because the failure mode was not visible through conventional audit checks alone.
KelpDAO’s decision to move rsETH away from LayerZero’s OFT standard towards Chainlink’s CCIP has sharpened competitive pressure in cross-chain infrastructure. Solv Protocol has also moved to Chainlink CCIP for tokenised Bitcoin exposure, adding to the perception that large DeFi projects are reassessing verifier diversity, operational monitoring and upgrade control after the exploit.
The wider issue for DeFi is whether modular security can remain developer-led when billions of dollars depend on configuration choices that may be misunderstood, inherited from examples, or left unchanged after deployment. LayerZero’s model gives applications control over their own security stack, but the backlash shows that default pathways, upgrade authority and signer practices can become reputational risks for the infrastructure provider as much as for the application developer.
Topics
Cryptocurrency