LayerZero shared the details of the recent large-scale Kelp DAO attack with the public. The technical investigation indicates that the North Korea-linked Lazarus Group, more specifically the TraderTraitor unit, may be behind the incident, with advanced cybercrime techniques. While the attack targeted Kelp DAO’s cross-chain bridge running on the LayerZero infrastructure, a total of 116,500 rsETH tokens were lost. The monetary value of the amount in question is calculated as approximately 292 million dollars. This loss stands out as the biggest attack in the field of decentralized finance (DeFi) in 2024.
The attack originates from a weak structure based on a single point.
According to technical details, attackers obtained the list of RPC nodes used in LayerZero Labs’ decentralized verification network. They then interfered with two RPC nodes, allowing a fraudulent message to be transmitted to the cross-chain verification system. Simultaneously, a massive access attack (DDoS) was launched against the nodes that remained operational, forcing the verification network to rely only on messages from the poisoned nodes.
Since Kelp DAO works with only one authentication point (1/1 DVN), the door was opened for the incoming attack to directly infiltrate the system. In its statement following the incident, LayerZero stated that Kelp DAO knew the risks of choosing this structure, but did not change its system.
“Since there was no independent second authenticator, the fake message was easily introduced into the system. In the past, both the LayerZero team and external stakeholders had warned against multiple DVN design. Kelp DAO insisted on the 1/1 DVN model,” the statement was shared.
LayerZero underlined that there is no risk of this attack spreading to other assets or applications. The company stated that applications working with a multi-authentication network can continue to serve normally. Additionally, it was reported that support will not be provided for systems that do not use more than one validator. It was stated that the investigation was carried out jointly with more than one law enforcement agency and the stolen funds were traced.
Effects reflected on Aave
This cyber attack, which broke out on the Kelp DAO bridge, had widespread repercussions, especially on the Aave platform. The attacker borrowed a significant amount of WETH by moving the stolen rsETH tokens to Aave V3; This resulted in bad debt in some of Aave’s markets. The protocol froze the rsETH markets on both V3 and V4, attempting to minimize potential damage.
Stani Kulechov, founder of Aave, said, “rsETH was frozen in both V3 and V4, the token has no possibility to borrow, the incident on the Kelp DAO bridge took place outside Aave. Currently, Aave has no additional exposure to rsETH.”
Despite all these measures, Aave has seen a significant outflow of assets. According to Aavescan’s data, after the attack, the total volume of locked assets on Aave decreased from $45.8 billion to $35.7 billion; This means that more than $10 billion in funds were transferred out of the system. Marc Zeller, one of the well-known names in the Aave community, invited users to withdraw WETH quickly.
Aave management announced that it will continue to look for ways to compensate for the loss if new risky debt accumulates in the protocol.
Increasing structural fragility in DeFi
After the Kelp DAO attack, many DeFi projects using the LayerZero infrastructure froze the bridges they were in contact with for security reasons. This measure also included prominent names such as Ethena, ether.fi, Tron DAO and Curve Finance. Another data showing the magnitude of the risk accumulated in the sector comes from DeFiLlama: In the last 24 hours, the total value locked in decentralized finance platforms decreased by 7 percent; The figure, which was 99.5 billion dollars on April 18, has fallen to 86.3 billion dollars today.
Researcher Min Jung from the Presto Research team stated that this incident is a reflection of structural weaknesses in the DeFi infrastructure and excessive centralization of security layers and said:
“The Kelp DAO incident again highlights the vulnerabilities in cross-chain infrastructure in particular. Following recent incidents like Drift, such an attack makes users question whether the rates are worth the risks.”
Industry experts point out that the recent increase in large-scale attacks may accelerate serious innovations in risk management and architectural design. Many DeFi projects have started to turn to more secure solutions in their existing structures.
