The DeFi ecosystem was shaken by a major cyber attack over the weekend. Bridge protocol Kelp DAO suffered a total loss of $292 million with the seizure of 116,500 rsETH. This incident was recorded as the largest decentralized finance attack of the year so far. Kelp DAO plays an active role especially in Ethereum-based projects as a bridge protocol that enables asset transfer between different blockchains and uses the leading LayerZero infrastructure.
How did the attack happen?
The incident was reported to have occurred on April 18. According to the technical statement made by LayerZero, attackers obtained the list of RPC nodes used in LayerZero Labs’ decentralized verification network (DVN). A denial of service attack was carried out by poisoning two of these nodes, and a forged cross-chain message was accepted as genuine by the system. As a result, the network signed an unauthorized transaction, leading to the loss of 116,500 rsETH tokens. It was stated that this technical vulnerability is directly related to the use of a singular structure instead of multiple verification mechanisms in DVN.
“LayerZero and other external parties have previously communicated best practices regarding DVN diversification to the Kelp DAO team. However, despite all these warnings, Kelp DAO continued with the 1/1 DVN configuration.”
Critical configuration debate
In its report, LayerZero emphasized that Kelp DAO’s DVN configuration connected to only a single validator creates a vulnerability in the system. The report argued that this method, which disables independent auditing, creates a single weak point open to attack. Kelp DAO responded to the allegations; He stated that the configuration used was included by default in LayerZero’s documentation and that this choice was deemed appropriate and approved in their communication with the protocol.
Kelp DAO also announced that they have been operating using the LayerZero infrastructure since January and maintain constant communication between teams. In the statement made by the company, it was stated that a comprehensive investigation was carried out, the criminals’ wallets were blacklisted and the relevant smart contracts were suspended, and that this early intervention played an important role in taking the process under control. It was reported that the events were carefully evaluated to restart the protocol.
Risks jumping to the Aave protocol
The Kelp DAO attack appears to have caused a knock-on effect in the crypto ecosystem. The attacker deposited a significant portion of the rsETH he seized into the Aave V3 protocol and used it as collateral, and in return he borrowed 82,650 WETH and 821 wstETH. This situation strengthened the possibility of bad debt in Aave.
According to the latest report prepared by Aave, the attacker pledged a total of 89,567 rsETH (approximately $221 million) to Aave and borrowed heavily. The protocol management considered two possible scenarios, as the Kelp DAO did not disclose a clear plan on how to distribute and recover losses among users.
In the first scenario, if the loss is reflected proportionally to all chains, a 15.12 percent depreciation in the rsETH supply and a bad debt of approximately $123.7 million on Aave is predicted. While the largest loss of $91.8 million could occur on the Ethereum mainnet here, the proportional deficit remains low due to the relative depth of reserves. On platforms with lower reserves, such as Mantle, the proportional loss can reach up to 9.54 percent.
In the second scenario, if only rsETH on L2 chains is damaged and assets on the Ethereum mainnet remain fully collateralized, a severe 73.54 percent cut will be applied to L2 assets, resulting in $230.1 million in bad debt. In this picture, Aave’s $54 million insurance fund called “WETH Umbrella” can only come into play in the first scenario.
Which scenario plays out will largely depend on Kelp DAO’s accounting and LRTOracle rate updates. Aave management announced that it has assets worth $181 million in its safe and that it has received additional support commitments from community members against possible bad debts.
