Over the weekend, a severe cyberattack shook the decentralized finance (DeFi) landscape, with Kelp DAO, a key cross-chain bridge protocol, becoming the latest victim. The attackers managed to siphon off 116,500 rsETH, translating into a staggering $292 million loss, marking the largest DeFi attack of the year. Kelp DAO is instrumental in enabling asset transfers among blockchains, primarily focusing on Ethereum-based projects, and operates on the widely recognized LayerZero framework.
What Went Wrong?
The attack occurred on April 18, with hackers exploiting the decentralized verification network (DVN) at LayerZero Labs. By compromising two RPC nodes, the attackers carried out a denial-of-service attack, sending a fake cross-chain message that was incorrectly validated by the system, leading to an unauthorized transaction. The fallout resulted from Kelp DAO’s use of a single-verifier setup in the DVN, a critical vulnerability.
“LayerZero and other external parties previously provided best practice guidance on DVN diversification to the Kelp DAO team. Despite all these warnings, Kelp DAO continued to operate with a 1/1 DVN configuration.”
Was It Avoidable?
According to LayerZero’s detailed report, the singular-verifier structure was a glaring weakness. Kelp DAO responded, stating that they followed the default setup outlined in LayerZero’s guidelines and had ongoing communication regarding the setup. Despite the warnings, Kelp DAO’s persistence with the existing configuration was due to the protocol being listed as default and approved in prior exchanges.
With the attack underway, Kelp DAO swiftly initiated a detailed investigation, immediately blacklisting the hacker’s wallets and pausing operations on pertinent smart contracts. These measures were imperative in limiting the escalation of the situation, and judicious steps are in motion to restart functionalities.
Ripple Effects on Aave
The incident’s impact extended to the Aave V3 protocol, where a large chunk of the stolen rsETH was used as collateral by the attacker, leading to loans of 82,650 WETH and 821 wstETH. This poses a looming risk of unmanageable debt within Aave.
In addressing the crisis, Aave highlighted that the attacker utilized approximately $221 million worth of rsETH for significant loans. With no clear pathway from Kelp DAO on addressing losses, Aave has charted out two potential outcomes.
- If losses are spread across networks, a 15.12% devaluation may result, generating up to $123.7 million in bad debt.
- If only Layer 2 assets bear the brunt, losses could surge to 73.54%, with bad debt reaching $230.1 million.
Aave stated, “The final scenario is contingent upon Kelp DAO’s accounting resolutions and LRTOracle ratio amendments.” Meanwhile, with $181 million in assets and additional backing from the community, Aave is preparing for different contingencies.
The incident underlines the vulnerabilities within the DeFi systems and highlights the critical importance of robust security protocols and diversified verification processes. As Kelp DAO and associated networks grapple with the aftermath, the broader industry looks to learn pivotal lessons from this breach.
