LayerZero Apologizes for Kelp DAO Response as Data Shows 47% of OApps Shared Vulnerable Setup

LayerZero has issued a public apology for its handling of the Kelp DAO exploit, acknowledging that its single-verifier configuration was deficient—a security weakness that data shows nearly half of all applications built on the protocol had adopted. The cross-chain messaging platform published a blog post Friday expressing regret for poor communication in the three weeks following the $292 million exploit, but the admission raises broader questions about systemic vulnerabilities across its ecosystem.

The scale of exposure is significant: according to Dune analytics from April, approximately 47% of LayerZero OApps were operating with the same default single-verifier setup that the protocol now concedes was inadequate. This configuration pattern suggests widespread reliance on LayerZero's default security architecture, which the company itself has acknowledged as flawed. The Kelp DAO incident, which resulted in $292 million in losses, has become a flashpoint for examining how many other applications may carry similar risk profiles.

The apology places pressure on LayerZero to demonstrate that its security model has been meaningfully strengthened. For developers and users across the cross-chain ecosystem, the incident underscores the risks of defaulting to standard configurations without independent security audits. The revelation that nearly half of OApps shared the deficient setup raises questions about how many applications remain exposed—and whether the protocol's communication delays have compounded trust concerns for projects building on its infrastructure.