A significant breach on KelpDAO over the weekend rattled the decentralized finance world, wiping out an estimated $13 billion from the total value locked (TVL) across the sector. Unlike typical DeFi breaches, this attack exposed vulnerabilities within LayerZero’s verification systems rather than in traditional smart contracts.
What Led to the KelpDAO Compromise?
Early investigations suggest the breach could be the work of the Lazarus Group, known for its North Korean affiliations. It appears KelpDAO’s reliance on a solitary validator was a major flaw, especially given prior expert advice advocating for multiple validators. Consequently, KelpDAO’s rsETH staking token lost its foundational support, amplifying risks for lending platforms such as Aave, particularly targeting its Ethereum pool.
How Has the Market Responded?
In the aftermath, user panic contributed to an $8.45 billion withdrawal from Aave within a short 48-hour window. DeFi assets plunged back to a one-year low in the mid-$80 billion range, illustrating the magnitude of the fallout.
Aave’s metrics in the weeks leading to the breach showed increased risk as rsETH was widely used for leveraged bets. At the breach’s inception, around 580,000 rsETH tokens, valued at $1.3 billion, were housed within Aave. The TVL dip, vastly surpassing the $292 million in actual losses, stemmed from the multiplied effect of leverage strategies counting assets repeatedly, thus escalating market unwinding during crises.
• Aave’s yield reduced to 2.61% on USDC deposits, causing a shift to higher risk-taking.
• DeFi’s resilience is evident as systems like Terra and Ronin have previously rebounded from losses.
• DeFiLlama forecasts rising risk premiums, indicating costlier on-chain capital retention in the future.
• Spark protocol increased TVL from $1.8 billion to $2.9 billion as it abandoned lower-demand tokens.
Although some pessimistically forecasted “the end of DeFi,” history shows the industry’s capacity to recover from even the most severe incidents, like Terra’s collapse or the Wormhole and Ronin exploits. DeFi’s sustained operations, despite Bybit’s massive $1.5 billion fall, demonstrate resilience.
Acknowledging the realignment needed, industry experts argue this upheaval underscores the necessity for innovative and secure DeFi products. The objective is to entice users to accept diverse risks for modest returns while ensuring robust systems can accommodate future challenges.
