#Gate广场五月交易分享

I’ll take the blame for this! — LayerZero CEO admits protocol flaw

After a round of back-and-forth blame-shifting, it seems the Kelp DAO cross-chain bridge attack finally has a definitive party responsible.

On May 4, LayerZero CEO Bryan Pellegrino publicly posted that the protocol failed to prevent 1/1 single-validator configurations from being used to secure tens of billions of dollars in TVL, reflecting a double misstep in both product design and customer communication. The context for this statement was the April 18 attack on the Kelp DAO cross-chain bridge, which resulted in losses of about $292 million. The attack stemmed from Kelp using LayerZero’s default configuration—1-of-1 DVN, meaning a single-validator mode. After the incident, Kelp provided Telegram screenshots to show that LayerZero staff had reviewed and approved this configuration for as long as two and a half years. Data indicates that at the time, around 47% of LayerZero OApp contracts used the same configuration, exposing assets worth more than $4.5 billion. Currently, Kelp has announced it will discontinue LayerZero and migrate to Chainlink CCIP.

But even so, the question everyone cares about now isn’t who’s responsible—it’s who will pay. On this core demand, neither Kelp DAO nor LayerZero seems to take it seriously. For the unlucky AAVE that was caught in the crossfire, the biggest question is who will help share the 230 million yuan of bad debt. At present, DeFi United, together with the industry, has raised more than $300 million to mount a rescue, and Arbitrum has already frozen the ETH worth $73 million stolen by the hacker. It appears this crisis is gradually subsiding—so the question becomes: can AAVE start buying the dip?