A single configuration failure cascaded into one of the largest liquidity shocks in decentralized finance (DeFi). The KelpDAO exploit, a theft of USD 290 million targeting rsETH, caused a market-wide panic that resulted in a loss of total value locked (TVL) of more than USD 13 billion across DeFi protocols in a two-day period.
The AAVE protocol, the largest lending protocol, suffered an over USD 8 billion collapse in TVL as users tried to withdraw collateral or return loans. Also, the Aave crashed around 18% following the bad debt triggered by the rsETH exploit on kelpDAO, raising serious concerns about collateral quality and the exposure these protocols are exposed to. The Aave token is trading at USD 93,20 at the time of writing.
How the KelpDAO Exploit Unfolded
The KelpDAO exploit started when an attacker targeted KelpDAO’s rsETH, which was being used as a liquid restaking token. They did so by only setting up one Decentralized Verifier Network (DVN) with their LayerZero Omnichain Application (OApp), thus leaving them with no backup if something went wrong. Best practice dictates that multiple independent DVNs are required to operate in order to allow redundancy of operation.
The attacker (most likely Lazarus Group) targeted the insecure Remote Procedure Call (RPC) infrastructure downstream from the LayerZero Labs DVN and created a sophisticated RPC Spoofing attack to craft false cross-chain messages. They initiated a Distributed Denial-of-Service (DDoS) attack on the uncompromised RPCs, creating a failover to poisoned nodes that then passed bogus transaction data to the DVN.
LayerZero agreed that the “protocol itself functioned exactly as intended” and that there was “no contagion to any of the other assets or applications,” meaning the incident was solely confined to the situation at KelpDAO with their premature configuration as a single DVN. They explained that if KelpDAO had had a properly secured, hardened multi-DVN setup, they would have been able to defeat the attack.
AAVE and Wider Market Impact
Despite the exploit being isolated, the psychological shock was severe. For example, Aave’s total value locked in (TVL) fell from about USD 26 billion to USD 17 billion after users lost confidence. The entire DeFi space saw its total TVL drop by USD 13 billion from approximately USD 130 billion down to UDS $117 billion. Furthermore, within the crypto space, there were also large forced liquidations and big sell-offs of positions in rsETH, resulting in losses for users with leveraged strategies.
What KelpDAO and LayerZero Are Doing
- LayerZero Labs’ DVN is currently operating; the company will not be signing messages for any application utilizing a 1/1 DVN.
- LayerZero is working with all of its integrators that are using single-DVN setups so that they switch to multi-DVN configurations.
- To this point, there are law enforcement agencies involved in the case, and LayerZero is working with Seal911 to track funds.
- KelpDAO has not yet completed a post-mortem of what happened and has acknowledged the event.
Nevertheless, onchain analyst ZachXBT has identified the addresses the attacker used via Tornado Cash.
