The theft of Kelp involves a bunch of technical terms, but in plain language, it's just a few sentences.

How was it stolen?
$RAVE ‌
Two RPC nodes managed by LayerZero were hacked, and the third was taken down by a DDoS attack. Kelp used the default 1/1 DVN configuration recommended in LayerZero’s documentation—that is, "single-signature verification," meaning one key can open the door. The attacker forged cross-chain messages, minting 116k rsETH out of thin air, worth $292 million. Kelp says this is LayerZero’s infrastructure fault, LayerZero says it’s because you’re not qualified for multi-DVN multi-signature, banteg says stop pretending, it’s an internal trust boundary breach.

$AAVE ‌
How much debt does Aave owe?

The attacker deposited the stolen rsETH into Aave as collateral and borrowed 82k WETH. Aave froze the rsETH market, but the bad debt was already there. LlamaRisk calculated two scenarios:

· Global apportionment: approximately $123.7 million in bad debt
· L2 alone bears: approximately $230.1 million in bad debt
$BTC ‌
0xngmi calculated a third scenario: abandoning rsETH holders on L2, with a worst-case bad debt of $341 million, which Umbrella can’t cover, so Aave has to bear it themselves.

Aave’s treasury holds about $181 million in assets, but covering a hole over $200 million is unlikely.

Chain reaction

Lido paused earnETH deposits, Ethena extended the cross-chain bridge pause, and over 15 protocols preemptively shut down the LayerZero OFT bridge.

Bottom line

Third-party trust—no one thought it would go wrong. rsETH holders thought Kelp had risk controls, Kelp thought LayerZero’s default configuration was safe, LayerZero thought projects would implement multi-signature. As a result, $292 million disappeared, bad debt ranged from $120 million to $340 million, and nobody knows where the money to fill the gap will come from. The "decentralized trust" in DeFi—trust split into countless parts, each of which says, "It’s not my problem."

#加密市场小幅下跌 #KelpDAO跨链桥遭攻击 #KelpDAO跨链桥遭攻击 #RAVE闪崩超90%