Intricate Cyber Heist on Kelp DAO Reveals Security Shortfalls

LayerZero has disclosed intricate details regarding the recent cyber heist on Kelp DAO, highlighting the breach’s execution. North Korea-linked Lazarus Group, particularly its TraderTraitor division, is suspected to have engineered the hack. The attackers targeted Kelp DAO’s cross-chain bridge operating on LayerZero, leading to the theft of 116,500 rsETH tokens, valued at around $292 million. This incident ranks as the largest DeFi hack in 2024 to date.

What makes Kelp DAO vulnerable?

The breach exposed a critical vulnerability within Kelp DAO’s system. Attackers acquired the RPC nodes’ list from LayerZero Labs’ validation network and compromised two, allowing them to inject fake messages into the system. A simultaneous DDoS attack on other active nodes compelled the system to rely solely on the compromised nodes for validation.

Kelp DAO’s reliance on a single validation node (1/1 DVN setup) meant the breach allowed direct infiltration. LayerZero remarked that despite being alerted to such risks, Kelp DAO had not upgraded its infrastructure.

“Because there was no independent second validator, the fake message was easily accepted. Both LayerZero’s own team and external experts had previously urged designs with multiple DVNs, but Kelp DAO persisted with its single-node model,” their statement emphasized.

LayerZero assured that other applications remain unaffected, as those with multiple validators have immunity to such breaches. Investigations are ongoing, involving various law enforcement bodies to trace the misappropriated funds.

How did it affect Aave?

The breach’s impact rippled into Aave’s ecosystem as the attacker transferred stolen rsETH tokens to Aave V3, borrowing substantial WETH. This action created bad debt in Aave’s markets, prompting the freezing of rsETH markets on Aave V3 and V4 to curb potential fallout.

Stani Kulechov, founder of Aave, explained, “rsETH is now frozen on both V3 and V4; borrowing is disabled, and the event originated outside of Aave via the Kelp DAO bridge. As of now, Aave has no further exposure to rsETH.”

Subsequently, Aave’s TVL faced a staggering drop from $45.8 billion to $35.7 billion, prompting community leader Marc Zeller to advise swift WETH withdrawals.

– **DeFi projects adopting LayerZero’s protocols ceased interaction with affected bridges as a precautionary step.**
– **Dominant platforms including Ethena, ether.fi, Tron DAO, and Curve Finance also halted operations.**
– **DeFiLlama records a 7% shrink in the industry’s total value locked within a day, dipping to $86.3 billion.**

This incident underscores the festering vulnerabilities in DeFi infrastructure, prompting industry experts to urge reevaluation of security layers. Recent hacks emphasize the need to weigh potential returns against the inherent risks. Allies in DeFi now seek innovative advancements in risk management, signaling a turn toward robust system alternatives.