LayerZero caused the exploit of the Kelp setup, says Aave Loss Questions Mt
Inadequate configuration of the communication protocol LayerZero tied to Kelp's Decentralized Verification Network (DVN) allowed malicious actors to steal $290 million from Kelp Dao, according to early indications pointing to threat actors linked to North Korea.
An attacker leaked 116,500 Restaked ETH (rsETH), worth an estimated $293 million at the time, from the rETH bridge operated by kelp dao LayerZero on Saturday.
LayerZero announced last Monday that the exploit was created from a single point of failure in Kelp's setup, which appears to be the only proven route on a LayerZero DVN, despite LayerZero recommending them in the past.
“LayerZero and other external parties have previously communicated best practices around DVN diversification to KelpDAO. Despite these recommendations, KelpDAO has chosen to use a 1/1 DVN configuration.”
In practice, that meant Kelp relied on a single authentication method for messages across a chain, rather than requiring multiple independent checks.
The exploit quickly shifted focus from the technical cause to the question of who should take the losses, but the fallout spread to Ave, where the attacker used rETH as collateral for real liquidity.
Aave's Total Value Locked (TVL) had fallen from $8.9 billion to $17.5 billion at the time of writing, and the exploiter used the stolen funds to borrow against Ave, leaving it with about $195 million in “bad debt,” leading to the withdrawal of the loan protocol.
LayerZero said Kelp's RSETH bridge was based solely on LayerZero Labs' DVN, and argued that the incident reflected an insecure application configuration rather than a breach of LayerZero itself. The company said it is now encouraging all applications to migrate from using 1/1 DVN to multi-DVN configurations, and will stop signing or verifying messages for apps with a single authenticator design.
After the 290 million dollar exploitation of kelp, the cause of the loss was war.
With no recovery or compensation plan yet announced, users and market observers have spent time debating whether losses should be placed with owners of Kelp DAO, LayerZero, Aave or rsETH.
According to Yishi Wang, founder and CEO of open-source hardware wallet OneKey, the best way is to negotiate with the hacker, offer a 10% to 15% bonus and return the bulk of the money.
“If the deal fails, the LayerZero ecosystem fund will have to foot the bill – it has very deep pockets and very long skin in the game,” the founder wrote in Monday's X post, adding that Kelp DAO is “broken” and can fix it with tokens and future earnings, or consider selling the project.
Analytics forum DeFiLlama fake founder 0xngmi listed three solutions, including an option to “socialize” losses among all users, “rug rETH holders on L2s” or try to restore holder balances to a pre-hack snapshot, which is “very hard to do,” he wrote in a Monday X post.
Cointelegraph reached out to Aave for comment, but did not receive a response by press time.
RELATED: Hyperbridge Attacker Mints 1B Bridge Polkadot Tokens For $237K Exploit
Exploitation Aave raises liquidity risks
Ether (ETH) liquidity on Aave, the lending protocol's main collateral, has dropped sharply as investors worry about kelp exploitation.
This represents a critical security risk where ETH collateral cannot be verified when the low liquidity markets are 100% leveraged, said MoneySupply, the anonymous head of strategy at rival lending protocol Spark, on Saturday's XPost.
“With the current state of illegality on Aave, a 15-20% drop in ETHUSD prices could result in a significant accumulation of debt (from issues directly attributable to rETH exploitation),” he said.
Aave claims to have immediately frozen all rsETH in Aave v3 and V4, preventing further damage. Ave own modern contracts are not exploited.
Magazine: Meet the onchain crypto detectives who fight crime better than the police
