KELP (KELP)

🛑 LayerZero Admits Error in $292M Kelp Exploit

LayerZero acknowledged it "made a mistake" in the $292 million Kelp exploit, according to Coindesk. The protocol initially framed the incident as a developer configuration failure but now says it "owns" the decision to let its own verifier secure high-value transfers in a vulnerable setup.

I used to think Oracle was the biggest weakness of DeFi.

But after looking back at the actual damages, I realized that the problem is not only in Oracle.

Wrong Oracle is dangerous, but even if Oracle is right, the data can still be corrupted at the following stages.

Below are the damages caused by Oracle manipulation:

– In 2025: Oracle manipulation caused $8.8B in damage and ranked 2nd in OWASP Smart Contract Top 10

– April 2026: Total crypto damage reached $606.7M

– In which two cases related to Oracle manipulation are @KelpDAO ($293M) and @DriftProtocol ($285M) have accounted for ~95% of the total loss of the whole month

– Other outstanding cases: @mangomarkets (2022) lost ~$117M, @rhea_finance (2026) lost $7.6M

When the price data is wrong, the damage does not stop at one place but spreads quickly through automatic mechanisms (liquidation, borrowing, rebalancing).

So Is Oracle the only Single Point of Failure?

Most DeFi protocols do not directly use raw data from Oracle. They query data that has been indexed and processed through intermediate layers (Subgraph, API, indexer...).

Clearly distinguish between the two classes:

– Oracle: Responsible for the original data source

– Data Infrastructure: Responsible for data being extracted, structured and provided accurately and promptly

Even if Oracle gives the correct data, if the indexing layer works poorly or slowly, the application can still receive the wrong or outdated data.

Fast Settlement + AI Agents are making the problem more serious:

– Blockchain shortens the settlement time to just a few seconds

– In TradFi, when there is a data error, there is still time to intervene. Not on blockchain

– AI agents are starting to trade and manage risks completely automatically

– When many agents react to the same wrong price data, the damage can spread extremely quickly because there is no human intervention in time

→ This is the reason why DTCC in the Great Collateral Experiment must use Subgraphs of @graphprotocol as a data layer.

Personally, I think that Oracle is not the only single point of failure. It is just a link in the data supply chain.

The real weakness lies in the entire Data Infrastructure, from collection, index, query, to the time when the application uses data.

North Korean hackers drained $292M from KelpDAO.

The exploit: they DDoS'd the external nodes to force an automatic failover to two internal nodes they had already compromised.

Nearly 47% of apps on LayerZero are currently using this exact same default 1-of-1 verifier setup.