The KelpDAO Exploit: A Wake-Up Call for DeFi
The exploit that shook the decentralized finance community began on April 18, with the KelpDAO bridge falling victim to a sophisticated cyberattack attributed to the notorious Lazarus Group, believed to be linked to North Korea. This incident served as a critical examination of the vulnerabilities within the intricacies of cross-chain security, raising concerns about protocol defaults and accountability in the DeFi space.
Details of the Attack
Initially classified as a technical glitch, the security breach quickly escalated as attackers exploited a LayerZero-based Omnichain Fungible Token bridge connected to KelpDAO’s wrapped staked ETH (rsETH), resulting in a theft of approximately 116,500 rsETH, valued at nearly $292 million.
Key vulnerabilities stemmed from KelpDAO’s implementation of a single-verifier setup, utilizing a 1-of-1 configuration for its Decentralized Verifier Network (DVN), which allowed a single verifier to approve high-stakes cross-chain transactions. Critics slammed this model for creating a critical point of failure. Although LayerZero asserted that their core protocol remained uncompromised, they acknowledged that the internal Remote Procedure Calls (RPCs) used by LayerZero Labs’ DVN were breached, culminating in manipulated data and distributed denial-of-service (DDoS) attacks on external RPC providers.
LayerZero’s Response
“We regret our lack of timely communication throughout the aftermath of the exploit.”
In a statement released after the breach, LayerZero expressed a desire for a comprehensive post-mortem rather than providing immediate updates. They disclosed that this incident impacted only one application, constituting a mere 0.14% of their total applications and around 0.36% of the asset value on the LayerZero platform. Despite the attack’s severity, LayerZero noted that since the exploit, over $9 billion had been transacted across their platform without further security breaches.
Recognizing their misstep in permitting the DVN to operate under a 1-of-1 verification policy, LayerZero announced plans to revise their defaults, opting for a more secure model that involves at least 5-of-5 verification whenever feasible, and a minimum of 3-of-3 on networks with fewer than five DVNs. Following this incident, KelpDAO decided to sever ties with LayerZero, transitioning to Chainlink’s Cross-Chain Interoperability Protocol (CCIP), making it a leading protocol to take such actions post-exploit.
Industry Impact and Migration Trends
This migration trend has caught the attention of industry analysts, with Tom Wan reporting that protocols accounting for $2 billion in total value locked (TVL) are now shifting from LayerZero to Chainlink CCIP. Notable examples include KelpDAO with around $1.5 billion, SolvProtocol at approximately $600 million, and re with about $200 million in total assets. Chainlink’s CCIP utilizes decentralized oracles that require no fewer than 16 separate node operators to verify cross-chain transactions, thus addressing the vulnerabilities exposed by the exploit.
In further developments, KelpDAO’s rsETH will integrate Chainlink’s Cross-Chain Token standard. Chainlink proudly announced its infrastructure has facilitated over $30 trillion in cross-chain transaction values, signaling their robust and secure architecture compared to the previous arrangement.
Discussions on Liability and Recovery Efforts
The aftermath of the exploit has invited discussions about liability. LayerZero claims to have previously cautioned against exclusionary single-verifier setups, whereas KelpDAO and other industry voices highlighted that the 1-of-1 configuration had been part of LayerZero’s default onboarding process. A study referenced by KelpDAO indicated that nearly half of the roughly 2,665 LayerZero applications used this precarious setup at the time of the incident.
In an effort to assist with recovery, multiple parties including Aave, KelpDAO, and LayerZero established the DeFi United alliance with the goal of reinstating backing for rsETH. LayerZero contributed 10,000 ETH—comprising both a donation and a loan to Aave—as part of the recovery strategy, which has collectively raised over $300 million in cryptocurrency. However, complications arose as the Arbitrum Security Council froze 30,766 ETH associated with the exploit, further embroiling the funds in legal challenges as plaintiffs sought to seize them under terrorism-related claims against North Korea.
Future Security Measures
LayerZero also recently addressed a separate incident involving a multisig signer who, by mistake, conducted a personal trade using a multisig hardware wallet years ago. Following this, the company enacted measures to enhance security, including the rotation of wallets and the amendment of its signing practices. They are now developing OneSig, a custom multisig system intended to bolster signing security, and planning to increase their multisig threshold from 3-of-5 to 7-of-10 where OneSig is implemented.
In addition, LayerZero is creating Console, a platform that allows issuers to manage asset issuance and security, which aims to include alerts about unknown DVNs, unsafe configurations, ownership changes, block confirmation changes, and adherence to security defaults.
In summary, the KelpDAO exploit has evolved from being a singular incident into a broader narrative encompassing issues of protocol design defaults, cross-chain security, and the future of decentralized finance.
