Nearly half of active LayerZero OApps over the past three months have been running with security settings vulnerable to single-point failure, according to data released by Dune on April 21.
Key findings from Dune data
- 2,665 LayerZero OApp contracts analyzed over the last 90 days
- About 47% used a “1-of-1” decentralized validation network (DVN) setup
- Around 45% operated with “2-of-2” validation
- Roughly 5% used “3-of-3” or higher configurations
A “1-of-1” DVN means a single validator can approve cross-chain messages. If that validator is compromised, an attacker can fabricate transactions that appear valid across chains.
Link to KelpDAO exploit
The report followed closely after the April 18 exploit of KelpDAO, a liquid restaking protocol built on LayerZero. KelpDAO’s rsETH contract used a 1-of-1 validation model, which allowed the compromise of one validator to enable falsified cross-chain transactions.
The attack led to the withdrawal of about $292 million in assets from KelpDAO, the largest exploit in the digital asset market so far in 2026. Specifically, 116,500 rsETH tokens were moved without authorization, nearly 18% of the token’s total supply.
How the attack worked
According to the protocol’s development team, the exploit was not caused by a flaw in LayerZero’s core interoperability code. Instead, it stemmed from KelpDAO’s choice to run with a single validator and the surrounding infrastructure.
Investigators linked the operation to the Lazarus Group and described the following attack path:
- Compromise and “poisoning” of remote procedure call (RPC) nodes supplying blockchain data
- A denial-of-service campaign against healthy infrastructure, forcing reliance on compromised nodes
- Feeding of fabricated blockchain data to the validator
- The validator then approved fraudulent cross-chain messages that never occurred on the source chain
Because KelpDAO depended on one verifier, the attacker only needed to control that single point to push through false transactions.
Broader market impact
The consequences spread quickly beyond KelpDAO:
- Lending protocol Aave is estimated to face roughly $177 million in bad debt, after stolen assets were supplied as collateral
- Within 24 hours of the exploit, total value locked (TVL) in decentralized finance applications fell by around 7%, wiping out more than $9 billion in value
These knock-on effects highlighted the systemic risk created when large protocols run on minimal validation setups.
Disputes over security responsibility
Following the incident, parties involved in the ecosystem debated who should be accountable for security:
- Some pointed to protocol-level guidance on recommended configurations
- Others argued application teams bear responsibility for their chosen validation models and operational security
The lack of clear alignment over who owns security configuration decisions underscored a wider pattern: project teams often accept infrastructure defaults instead of performing independent risk assessments.
Structural risks in current configurations
LayerZero allows developers to customize how messages are validated, including:
- Single-verifier (“1-of-1”) configurations
- Multi-verifier m-of-n threshold systems (for example “2-of-3”)
However, Dune’s figures show many applications opt for lower-cost, low-redundancy setups. Analysts noted that any OApp using a single verifier or strict “n-of-n” models without diversity in operators is more exposed to:
- Compromise of one infrastructure provider
- Targeted denial-of-service attacks on the honest part of the network
- Supply-chain attacks on validators and their data sources
Protocols that had deployed multi-signature validation with at least a “2-of-3” configuration reportedly were not vulnerable to this specific attack vector.
Implications for traders and users
The incident raised questions about transparency around security choices:
- Most users and traders cannot easily see which validation model an application uses
- Marketing often emphasizes the underlying protocol’s security, while individual app configurations get less attention
The KelpDAO exploit illustrated that the safety of cross-chain applications depends heavily on each project’s operational setup, not just on the base interoperability technology.
As a result, risk assessment for interacting with cross-chain and restaking systems increasingly hinges on:
- Whether validation involves independent entities
- The presence of redundancy (for example m-of-n rather than 1-of-1)
- Resilience of infrastructure such as RPC providers and validator hosting
Next steps from the interoperability protocol
Following the exploit, the interoperability protocol’s team began contacting applications that rely on single-verifier setups. The outreach aims to:
- Encourage migration from 1-of-1 configurations to more robust multi-signature models
- Promote at least “2-of-3” or similar threshold schemes to reduce single-point-of-failure risk
The combination of Dune’s data and the KelpDAO breach is expected to push more projects to review their validation architectures and reconsider the trade-offs between cost, complexity and security.
For a deeper look at crypto vulnerabilities and protection, explore Toobit’s security-focused guide: learn from major crypto security breaches today.
Disclaimer: The content on this page is provided for general informational purposes only and does not represent the views or financial advice of Toobit. We make no guarantees regarding the accuracy or completeness of this information and shall not be held liable for any errors, omissions, or outcomes resulting from its use. Investing in digital assets involves risk; users should independently evaluate their financial situation and the risks involved. For further details, please consult our Terms of Service and Risk Disclosure.
