Over the weekend, a significant security flaw emerged within the bridge systems of KelpDAO and LayerZero, leaving decentralized finance trailblazer Aave in a precarious situation with potential financial losses amounting to a staggering $230 million. The issue was traced to vulnerabilities in how cross-chain transfers were handled, leading to severe potential repercussions for Aave.
What triggered the security breach?
In a comprehensive analysis presented on Aave’s governance forum by Aave Labs and LlamaRisk, the incident largely involved rsETH, which is a liquid restaking asset generated by KelpDAO. The core of the issue lies in cross-blockchain transfers, involving locking a token on one network while creating a counterpart on another network. Through a sophisticated manipulation, the attacker managed to conduct fraudulent transaction requests. This allowed new rsETH to be minted even when the original tokens were not actually removed from the source network.
How did the malicious actor capitalize on the breach?
Avoiding immediate liquidation, the perpetrator decided to deposit 89,567 fake rsETH into Aave as security and subsequently acquired loans totaling $190 million in ETH and other virtual currencies across the Ethereum and Arbitrum networks. This maneuver created a facade of adequate collateral, while the actual financial foundations were highly unstable.
“Within hours of the attack, we froze rsETH markets, suspended lending activity, and set collateral ratios for the asset to zero,” said Aave Labs in detailing their immediate response to the breach.
Aave promptly halted all functionalities related to rsETH to prevent further exploitation. Additional safety measures were rapidly adopted to curb any further lending activities using rsETH as collateral.
What will dictate the extent of the financial damage?
The full extent of the damage hinges on the actions taken by KelpDAO to rectify the discovered vulnerability. If the impact is widespread among rsETH holders, the token’s valuation could decline by approximately 15%, potentially creating $124 million in irrecoverable loans for Aave. However, if the repercussions remain confined to Layer 2 environments, losses could nearly reach $230 million across Arbitrum and Mantle networks.
Experts identified the root cause of the issue as insufficient verification processes for transfer messages in KelpDAO’s LayerZero protocol usage. While the protocol’s main framework wasn’t directly breached, the situation revealed problems in message-level trust processes.
- Aave’s total value locked (TVL) suffered a $6 billion reduction, highlighting fears of credibility loss and platform vulnerability.
- Discussions are ongoing about using Aave DAO’s $181 million treasury to potentially recoup the losses.
- KelpDAO has not yet detailed any strategy for addressing the deficit among its users.
As interconnected blockchain platforms proliferate, this incident stresses the necessity for perpetual vigilance in securing bridge and messaging systems to avert similar threats in the evolving DeFi landscape.
