Skip to content

KelpDAO Exploit Triggers $290 Million DeFi Wipeout, AAVE Loses $6 Billion in TVL

Cartoon KelpDao and Aave logos with hands grabbing them. KelpDAO Exploit Triggers $290 Million DeFi Wipeout, AAVE Loses $6 Billion in TVL

A single configuration failure cascaded into one of the largest liquidity shocks in decentralized finance (DeFi). The KelpDAO exploit, a theft of USD 290 million targeting rsETH, caused a market-wide panic that resulted in a loss of total value locked (TVL) of more than USD 13 billion across DeFi protocols in a two-day period. 

The AAVE protocol, the largest lending protocol, suffered an over USD 8 billion collapse in TVL as users tried to withdraw collateral or return loans. Also,  the Aave crashed around 18% following the bad debt triggered by the rsETH exploit on kelpDAO, raising serious concerns about collateral quality and the exposure these protocols are exposed to. The Aave token is trading at USD 93,20 at the time of writing.

KelpDAO Exploit Triggers $290 Million DeFi Wipeout, AAVE Loses $6 Billion in TVL: A sophisticated attack on rsETH's single-DVN setup cascaded into a market-wide panic, erasing billions across lending protocols.
AAVE token price chart. (Source: TradingView)

How the KelpDAO Exploit Unfolded

The KelpDAO exploit started when an attacker targeted KelpDAO’s rsETH, which was being used as a liquid restaking token. They did so by only setting up one Decentralized Verifier Network (DVN) with their LayerZero Omnichain Application (OApp), thus leaving them with no backup if something went wrong. Best practice dictates that multiple independent DVNs are required to operate in order to allow redundancy of operation.

The attacker (most likely Lazarus Group) targeted the insecure Remote Procedure Call (RPC) infrastructure downstream from the LayerZero Labs DVN and created a sophisticated RPC Spoofing attack to craft false cross-chain messages. They initiated a Distributed Denial-of-Service (DDoS) attack on the uncompromised RPCs, creating a failover to poisoned nodes that then passed bogus transaction data to the DVN.

KelpDAO Exploit Triggers $290 Million DeFi Wipeout, AAVE Loses $6 Billion in TVL: A sophisticated attack on rsETH's single-DVN setup cascaded into a market-wide panic, erasing billions across lending protocols.
DVN configuration checklist. (Source: LayerZero Integration Checklist)

LayerZero agreed that the “protocol itself functioned exactly as intended” and that there was “no contagion to any of the other assets or applications,” meaning the incident was solely confined to the situation at KelpDAO with their premature configuration as a single DVN. They explained that if KelpDAO had had a properly secured, hardened multi-DVN setup, they would have been able to defeat the attack.

AAVE and Wider Market Impact

Despite the exploit being isolated, the psychological shock was severe. For example, Aave’s total value locked in (TVL) fell from about USD 26 billion to USD 17 billion after users lost confidence. The entire DeFi space saw its total TVL drop by USD 13 billion from approximately USD 130 billion down to UDS $117 billion. Furthermore, within the crypto space, there were also large forced liquidations and big sell-offs of positions in rsETH, resulting in losses for users with leveraged strategies.

KelpDAO Exploit Triggers $290 Million DeFi Wipeout, AAVE Loses $6 Billion in TVL: A sophisticated attack on rsETH's single-DVN setup cascaded into a market-wide panic, erasing billions across lending protocols.
The AAVE protocol has lost over USD 8 billion after the KelpDAO exploit.

What KelpDAO and LayerZero Are Doing

  • LayerZero Labs’ DVN is currently operating; the company will not be signing messages for any application utilizing a 1/1 DVN. 
  • LayerZero is working with all of its integrators that are using single-DVN setups so that they switch to multi-DVN configurations. 
  • To this point, there are law enforcement agencies involved in the case, and LayerZero is working with Seal911 to track funds. 
  • KelpDAO has not yet completed a post-mortem of what happened and has acknowledged the event.

Nevertheless, onchain analyst ZachXBT has identified the addresses the attacker used via Tornado Cash. 

KelpDAO Exploit Triggers $290 Million DeFi Wipeout, AAVE Loses $6 Billion in TVL: A sophisticated attack on rsETH's single-DVN setup cascaded into a market-wide panic, erasing billions across lending protocols.
Source: ZachXBT Telegram channel.

Final Take

One protocol did not follow LayerZero's guidance on using multiple DVNs. This lapse was taken advantage of by one state-sponsored hacker. As a result, USD 290 million was taken, USD 13 billion was lost from the TVL in DeFi, and AAVE holders have seen a total depreciation of over 8 billion. The technical term for this is "single point of failure." The common term is "disaster."  Always diversify your verifiers.

Disclaimer: All content provided on Times Crypto is for informational purposes only and does not constitute financial or trading advice. Trading and investing involve risk and may result in financial loss. We strongly recommend consulting a licensed financial advisor before making any investment decisions.

A Web3 Journalist at TimesCrypto with a knack for turning complex ideas into engaging stories. With a solid Tech background, Alan has led teams to create and refine impactful projects across industries, working in firms such as IBM, Cisco Systems, and Telecom. He’s passionate about Blockchain, Finance, Science, bringing a unique blend of technical expertise and creative flair to every piece he writes. When he’s not crafting content, you’ll find him diving deep into research or just having some fun!

Zoomable Image