#KelpDAO跨链桥遭攻击

Latest Developments - Kelp DAO Blames LayerZero for $292 Million Exploit and Mutual Blame Game

On April 18, the cross-chain bridge supported by Zero Layer, Kelp DAO, lost 116,500 rsETH tokens worth approximately $292 million, making it the largest DeFi vulnerability of the year so far. The attacker obtained the list of RPC nodes used by LayerZero Labs' decentralized verification network (DVN). The attacker then tampered with two RPC nodes and launched a DDoS attack, forcing the DVN to accept forged cross-chain messages, resulting in the signing of an illegitimate transaction.

Earlier, LayerZero criticized Kelp DAO's 1-to-1 DVN configuration in a published report, pointing out that the lack of necessary independent verification to catch fraudulent cross-chain messages caused a single point of failure. The report stated: “LayerZero and other external entities had previously communicated best practices for diversifying the Distributed Virtual Network (DVN) to Kelp DAO. Despite these recommendations, Kelp DAO chose to adopt a 1/1 DVN configuration.”

On the other hand, Kelp DAO issued a statement on Monday downplaying its direct responsibility for the incident. It shifted the blame for the 1-to-1 DVN setup onto LayerZero.

Kelp stated on X: “The 1-to-1 DVN setup is a configuration documented in LayerZero’s documentation and is the default setup for any new OFT deployment. Since January 2024, Kelp has been operating on LayerZero infrastructure and has maintained open communication channels with the LayerZero team.” Kelp also added that the DVN configuration issue was raised when expanding to L2, where the default setting was “explicitly deemed appropriate.”

The cross-chain bridge also said that its initial response measures—including pausing relevant contracts and blacklisting wallets associated with the attacker—helped contain the situation.

😞 Both sides are blaming each other, and innocent AAVE is hurt. Who will take responsibility for the over $200 million bad debt?

The attacker deposited a large amount of stolen assets into Aave V3. Using rsETH as collateral, the attacker borrowed a significant amount of WETH, increasing the protocol’s bad debt risk.

According to Aave’s latest incident report, the attacker provided 89,567 rsETH (worth about $221 million) as collateral and borrowed 82,650 WETH and 821 wstETH, resulting in very low health factors for these positions. The protocol outlined two hypothetical bad debt scenarios based on current data, as Kelp has not yet officially announced loss allocation or recovery plans.

The first scenario describes an even distribution of losses, assuming approximately 112,204 rsETH will be evenly distributed across all chains. This would lead to a 15.12% de-pegging and roughly $123.7 million in bad debt for Aave.

The second hypothesis limits losses to L2 rsETH, with Ethereum mainnet rsETH remaining fully supported. In this case, L2 collateral would be reduced by 73.54%. This could cause bad debts of up to $230.1 million in L2 markets such as Mantle, Arbitrum, and Base.

Aave stated: “Which scenario occurs depends on decisions outside of Aave’s control, mainly how rsETH is accounted for and how the LRTOracle exchange rate is updated.”

Additionally, Aave mentioned that the Aave DAO holds assets worth $181 million, with a healthy asset status, and has received multiple commitments from ecosystem participants to support the protocol in case of bad debts.