On April 18, Kelp DAO, a decentralized finance (DeFi) protocol, suffered a devastating loss of approximately $292 million when hackers exploited a vulnerability in its LayerZero-powered bridge. This exploit resulted in the theft of 116,500 rsETH tokens, which were subsequently used as collateral on Aave v3 to borrow wrapped Ether. The fallout from the incident has led to a contentious blame game between Kelp DAO and LayerZero, as both sides stake their claims in this high-profile security breach.
The attackers executed a series of transactions that ultimately processed over $100 million in additional forged transactions before Kelp paused its smart contracts. LayerZero has linked the exploit to North Korea’s notorious Lazarus Group, revealing that the hackers gained access to the decentralized verifier network (DVN) nodes associated with LayerZero Labs. By compromising two of these nodes and launching a DDoS attack on others, the hackers confirmed fraudulent transactions, leading to the significant financial loss incurred by Kelp DAO.
The incident has ignited a public feud between Kelp DAO and LayerZero regarding who bears responsibility for the vulnerability. LayerZero’s postmortem on April 19 indicated that the exploit resulted from Kelp’s use of a single decentralized verifier network instead of a multi-verifier setup, which the company typically recommends. They stated this choice “directly contradicts” their guidance, raising questions about Kelp’s decision-making within their infrastructure.
The DVN Configuration Dispute
Kelp DAO swiftly rebutted these claims, asserting that LayerZero personnel had reviewed their DVN configuration over a span of two and a half years and had never indicated that the single-verifier setup posed a security risk. In a memo released on May 5, Kelp pointed to Telegram messages that appear to show LayerZero team members acknowledging their configuration without issue. The authenticity of these screenshots has yet to be independently verified.
Adding to the complexity, Kelp presented data from Dune Analytics highlighting that approximately 47% of 2,665 active LayerZero contracts utilized the 1-of-1 DVN model within a 90-day window leading up to April 22. This pool of contracts is reported to hold a combined market value exceeding $4.5 billion.
A separate voice in the conversation is that of security researcher Sujith Somraaj, who disclosed that he had submitted a bug bounty report to LayerZero outlining the same attack vector prior to the breach. However, he stated that his concerns were dismissed.
LayerZero Defends Its Protocol
In response, LayerZero’s CEO, Bryan Pellegrino, characterized Kelp’s allegations as “completely untrue,” stating that Kelp had initially employed the recommended multi-DVN setting but chose to manually downgrade to a 1-of-1 configuration. Pellegrino also indicated that an external audit would be conducted to fully assess the incident.
A spokesperson from LayerZero emphasized that defaults across their pathways are predominantly multi-DVN, explaining that instances where a 1-of-1 setup appears point to a “DeadDVN” intended to discourage improper configuration. Following the breach, LayerZero implemented a new policy prohibiting the signing of messages for any applications running a single verifier setup, an effort to bolster their security framework.
Kelp DAO has asserted that it was their team that alerted LayerZero of the exploit first, not the other way around. In a decisive move, Kelp has begun migrating its rsETH from LayerZero’s OFT standard to Chainlink’s Cross-Chain Interoperability Protocol (CCIP), aiming to enhance its operational security moving forward.
As Kelp makes this transition, the lingering questions over the hack’s attribution and the efficacy of each protocol’s security measures pose broader implications for the DeFi space. Users and investors alike will be watching closely as Kelp struggles to recover from this substantial blow and cement their infrastructure against future threats.
