Interoperability protocol LayerZero says improper configuration associated with Kelp’s decentralized validator network (DVN) allowed malicious actors to steal $290 million from the Kelp DAO, adding that initial indications point to threat actors linked to North Korea.
The attacker dropped approximately 116,500 Restaked ETH (rsETH), worth approximately $292-293 million at the time, from an rsETH bridge powered by Kelp DAO’s LayerZero on Saturday.
LayerZero he said On Monday, it emerged that the exploit resulted from a single point of failure in Kelp’s configuration, which relied on LayerZero’s single DVN as its only verified path, even though LayerZero had previously advised them against doing so.
“LayerZero and other third parties have previously provided KelpDAO with best practices for DVN diversification. Despite these recommendations, KelpDAO has elected to use a 1/1 DVN configuration.”
In practice, this meant that Kelp relied on a single cross-chain message verification path, rather than requiring multiple independent checks.
The exploit quickly moved the technical focus to who should bear the losses, and the effects spread to Aave, where the attacker used rsETH as collateral to borrow real liquidity.
Aave’s total value locked (TVL) has dropped by approximately $8.9 billion to $17.5 billion at the time of writing after an exploiter used stolen funds to take out a loan on Aave, leaving approximately $195 million in “bad debt,” causing the loan protocol to be withdrawn.
LayerZero said Kelp’s rsETH bridge relied solely on LayerZero Labs’ DVN and argued that the incident reflected an insecure application configuration rather than a compromise of LayerZero itself. The company stated that it is now urging all applications using a DVN 1/1 configuration to migrate to a multi-DVN configuration and will discontinue message signing or confirmation for applications that retain the single-verifier design.
The losses sparked a blame battle following the $290 million Kelp exploit
With no recovery or compensation plan announced yet, users and market observers spent Monday debating whether the losses should be borne by holders of Kelp DAO, LayerZero, Aave or rsETH.
Yishi Wang, founder and CEO of open-source hardware wallet OneKey, said the best path is to negotiate with the hacker, offer a reward of 10% to 15% and recover most of the funds.
“If negotiations fail, LayerZero’s ecosystem fund should foot most of the bill – it has the deepest pockets and the most long-term skin in the game,” the founder wrote in Monday’s issue of X. postadding that the Kelp DAO is “broke” and may make up for it with tokens and future revenue or consider selling the project.
The pseudonymous founder of the DeFiLlama analytics platform, 0xngmi, presented three solutions, including the option to “socialize” the losses among all users, “put rsETH holders on L2” or try to restore the holders’ balance to a pre-hack snapshot, which would be “very difficult to do,” he wrote in Monday’s X post.
Cointelegraph reached out to Aave for comment but did not receive a response via publication.
Related: Hyperbridge attacker mints Polkadot tokens with 1B bridge in $237k exploit dollars
The exploit increases the risk of Aave being liquidated
Investor concerns about the Kelp exploit have significantly reduced Ether (ETH) liquidity on Aave, the lending protocol’s primary collateral asset.
This low liquidity poses a “critical security risk where ETH collateral liquidation cannot occur when markets are 100% leveraged,” MoneySupply, the pseudonymous head of strategy at competitor Aave Spark’s lending protocol, told MoneySupply on Saturday post.
“With the current lack of liquidity on Aave, a 15-20% drop in the ETHUSD price could result in significant bad debt accumulation (in addition to any potential issues related to a direct rsETH exploit),” he said.
Aave said it immediately he froze all rsETH in Aave v3 and V4, preventing further damage. Aave’s sharp contracts were not used.
Warehouse: Meet the onchain cryptocurrency detectives who fight crime better than cops
