LayerZero Responds to $290 Million KelpDAO Attack

The recent incident involving KelpDAO’s exploit, which resulted in a staggering $290 million loss, has prompted a comprehensive investigation by major players in the crypto space, particularly LayerZero and Aave. This event has raised critical discussions regarding the safety and protocols of cross-chain security systems.

LayerZero emphasized that the exploit stemmed from a choice made by KelpDAO, specifically the use of a single-DVN (Decentralized Validator Network) configuration. This aspect redirects the conversation from a widespread risk throughout LayerZero-integrated platforms to more focused concerns regarding the vulnerabilities in individual application security designs.

LayerZero Responds to $290 Million KelpDAO Attack

Understanding the Attack: RPC Vulnerabilities Explored

In a detailed communication dated April 20, LayerZero described how the attack on KelpDAO’s rsETH specifically targeted its configuration. The company clarified that the breach was not systemic and confirmed that other assets remained unaffected.

LayerZero depicted the assault as an advanced attack rather than a flaw in the core protocol itself. Reportedly, preliminary findings suggest that a skilled state actor, possibly linked to North Korea’s Lazarus Group, was responsible for the incident. The attack involved compromising elements of the RPC infrastructure utilized by LayerZero, leading to a successful spoofing operation.

According to LayerZero, the attackers initially poisoned the RPC ecosystem by contaminating the op-geth nodes and subsequently launching a DDoS attack against unaffected nodes to enforce a transition toward these malicious setups.

This scenario illustrates a fundamental principle referenced by LayerZero, reaffirming their approach to least-privilege security measures. According to the statement, “Due to our security protocols, the attackers could not breach the DVN instances directly.” Instead, they managed to execute a sophisticated RPC-spoofing operation.

The manipulated nodes generated misleading data for the DVN while maintaining accurate communications with other external entities, thus remaining undetected during the attack. LayerZero emphasized that fundamental lapses in security at the application layer should have been prevented by implementing a more robust verifier configuration.

The documentation reflected on how rsETH, operated by KelpDAO, was standing on a precarious security arrangement. The statement noted that the reliance on one DVN created vulnerabilities, contrasting with the multi-DVN redundancy practices advocated by LayerZero.

It was clearly stated that effective configurations should mandate consensus among various DVNs, which would have thwarted the attack even if one node was compromised. To address the situation, LayerZero indicated that the affected DVN configurations have been replaced, and new restrictions are in place to prevent similar occurrences in the future.

Aave also provided insights via an online update, reporting that their evaluations confirmed rsETH on Ethereum’s mainnet retains full backing. However, as a precaution, they have temporarily frozen rsETH across multiple versions of their platform to mitigate exposure to the exploit. The hold extends to wrapped ETH reserves on various platforms until further evaluations have been conducted.

As of now, the total capitalization of the cryptocurrency market fluctuates around $2.5 trillion, showcasing the resilience of the crypto space despite recent challenges.

Emily Walker
Emily Walker
Crypto News Editor

Emily brings structure, clarity, and journalistic integrity to Bitrabo’s daily news coverage. With years of experience in tech journalism, she ensures that every headline, update, and developing story is accurate and impactful. From breaking regulatory news to market movements, Emily’s editorial oversight keeps Bitrabo’s news content timely, trusted, and engaging.