Kelp DAO Shifts Blame to LayerZero’s Default Configuration in $290 Million Security Fallout

Kelp DAO has formally challenged the LayerZero Foundation's public statements regarding responsibility for the catastrophic $290 million security incident that devastated the liquid staking protocol in April 2026. According to Kelp's official position released this week, LayerZero's pre-configured default settings—rather than inadequate implementation on Kelp's end—created the vulnerabilities that attackers exploited to drain the protocol's treasury. This assertion directly contradicts LayerZero's earlier characterization of the breach, intensifying what has become an acrimonious public dispute between two major decentralized finance infrastructure providers at a moment when the entire sector faces mounting trust deficits.

The security incident has already triggered cascading consequences across the broader DeFi ecosystem. Kelp DAO's original $292 million breach exposed structural vulnerabilities in DeFi's liquid staking infrastructure, and the fallout has extended far beyond the protocol itself. Major lending platforms including Aave have faced significant exposure, with analysts estimating potential losses exceeding $230 million across interconnected protocols. The incident has underscored a fundamental problem in the DeFi landscape: when core infrastructure components fail, the damage propagates through networks of interdependent protocols with alarming velocity.

To contextualize the current dispute, understanding LayerZero's role in the ecosystem is essential. LayerZero operates as a critical cross-chain messaging protocol, enabling communication and asset transfers between disparate blockchain networks. The infrastructure's security model depends heavily on configuration choices made by protocols that integrate with it. Kelp's assertion that LayerZero's default settings were inadequately configured for production use suggests a potential misalignment between the platform's out-of-the-box deployment parameters and the security requirements of protocols handling substantial user capital. This raises uncomfortable questions about whether infrastructure providers bear responsibility when their default configurations prove insufficient for protecting integrating protocols.

Market Implications

Industry analysts and security researchers have begun weighing in on the technical merits of each party's claims, though a clear consensus has not yet emerged. According to reports from blockchain security firms monitoring the situation, determining fault requires examining whether Kelp deviated from LayerZero's recommended security specifications or whether LayerZero's default recommendations were themselves flawed. The technical complexity of cross-chain messaging architecture means that responsibility often proves difficult to attribute cleanly. Some observers suggest that both parties share culpability—LayerZero for offering insufficient default security postures, and Kelp for potentially failing to implement additional protective measures beyond those defaults. The DeFi sector experienced a confidence crisis following the exploit, with a single $292 million incident triggering a $13 billion sector-wide withdrawal, demonstrating how fragile trust remains in the ecosystem.

The broader implications of this dispute extend beyond the immediate question of technical responsibility. The incident highlights a critical architectural vulnerability in DeFi's current design: the concentration of systemic risk in infrastructure layer decisions. When protocols depend on third-party cross-chain messaging platforms, security assumes a collaborative character—both parties must execute flawlessly. Yet the incentive structures rarely align perfectly. Infrastructure providers benefit from permissive default configurations that attract integration, while protocols integrating those infrastructures may prioritize deployment speed over comprehensive security audits. Kelp's public dispute with LayerZero reveals the tensions inherent in this model and suggests that the industry may need to fundamentally rethink how infrastructure security standards are established and enforced.

What to Watch

Moving forward, several critical developments warrant close monitoring. Regulatory scrutiny of both organizations will likely intensify, particularly given that user funds ultimately suffered the losses regardless of which party bears technical responsibility. LayerZero and Kelp may seek legal remedies, which could establish important precedents for infrastructure liability in decentralized systems. Additionally, other protocols currently integrated with LayerZero's infrastructure may conduct comprehensive security audits to determine whether they face similar vulnerabilities. The resolution of this dispute could substantially influence how future protocols approach infrastructure selection and configuration, potentially catalyzing industry-wide standards for default security settings. LayerZero has previously pointed to Kelp's configuration as the root cause of the exploit while also attributing elements to North Korean Lazarus Group involvement, adding complexity to the attribution question itself.