KelpDAO has reported that LayerZero approved the bridge configuration linked to the $292 million rsETH exploit, igniting a debate regarding accountability for what has surfaced as one of the most significant cross-chain security breaches in decentralized finance for the year.
What led to the exploit and who is responsible? On April 18, an attacker drained approximately 116,500 rsETH from KelpDAO’s LayerZero bridge. According to Chainalysis, this attack was not a breach of the smart contract itself. Instead, it targeted offchain infrastructure, where attackers compromised internal RPC nodes. They then used manipulated data to deceive the system into releasing funds tied to a nonexistent transaction.
LayerZero has indicated that the vulnerability was specific to KelpDAO's rsETH configuration and was a consequence of its singular Digital Value Node (DVN) setup. Preliminary findings suggest the involvement of a sophisticated state actor, with suspicions pointing towards North Korea's Lazarus Group.
In response, KelpDAO pushed back against this characterization, asserting that the 1 of 1 DVN configuration was common across various LayerZero integrations. KelpDAO highlighted that LayerZero's own guidelines directed builders toward setups that rely on LayerZero Labs as the necessary DVN, implying that the configuration was not unique.
The situation escalated as KelpDAO acted quickly by pausing contracts upon discovering the exploit. Chainalysis noted that this decisive move helped prevent a potential second theft involving $95 million. Furthermore, the Arbitrum Security Council subsequently froze over 30,000 ETH associated with the attacker's illicit funds.
The repercussions of the exploit extended throughout the DeFi landscape, as the attacker proceeded to use the stolen rsETH as collateral in key lending markets. Galaxy Research reported that the hacker borrowed around $236 million in Wrapped Ether (WETH) and staked WETH (wstETH). As market conditions worsened, Aave took action by freezing rsETH, wrapped rsETH, and WETH markets to stabilize liquidity.
In light of these events, KelpDAO is transitioning its rsETH cross-chain transfers from LayerZero’s Optimistic Fraud Tree (OFT) standard to Chainlink's Cross-Chain Interoperability Protocol (CCIP). This migration is framed as a comprehensive security enhancement following the exploit, aiming to bolster the integrity of its processes.