KelpDAO Blames LayerZero for $292 Million Hack
KelpDAO has placed the blame squarely on LayerZero for a significant hack that resulted in losses estimated at $292 million. The organization revealed its intentions to relaunch a revamped cross-chain system utilizing Chainlink’s technology via a post on platform X this Tuesday. They highlighted that an incident on April 18 clearly demonstrated vulnerabilities in LayerZero’s infrastructure, leading to substantial financial losses across the decentralized finance (DeFi) ecosystem. Kelp DAO referenced findings from reputable security teams, including SEAL 911 and Chainalysis, all suggesting a common source for the breach.
Details of the April Attack
The April attack resulted in the theft of approximately 116,500 rsETH, a staking token tied to Ethereum, through a cross-chain bridge operated by Kelp. This incident has been linked to the notorious Lazarus Group, which has ties to North Korea.
Accusations Against LayerZero
Highlighting a lapse in communication, KelpDAO accused LayerZero of permitting a configuration associated with the exploit without raising any red flags regarding its security vulnerabilities. This specific setup, termed a 1-of-1 verifier, depended on a solitary entity to authenticate cross-chain transactions. According to Kelp, attackers exploited weaknesses in LayerZero’s infrastructure by infiltrating the verifier network’s RPC nodes, thereby manipulating the validation of transactions with fraudulent data.
LayerZero subsequently changed its policy to cease message signing for applications utilizing this risky 1-1 DVN configuration, an action Kelp noted was taken only after the exploitation resulted in vast monetary losses.
In response to Kelp’s accusations, LayerZero contended that the breach was isolated to Kelp’s use of a single-verifier setup, which contradicted their advisory for a multi-verifier model. Kelp DAO contested this portrayal, asserting that their setup conformed to LayerZero’s usual guidelines and that this model had been widely adopted across multiple applications within the DeFi landscape.
Transition to Chainlink’s Protocol
In light of the incident, Kelp is pivoting its rsETH platform toward Chainlink’s cross-chain interoperability protocol, where transaction verification involves multiple independent validators, significantly enhancing security. Chainlink’s Chief Business Officer, Johann Eid, expressed his commitment to collaborating with KelpDAO to reinforce the security framework around rsETH and support their transition to Chainlink’s infrastructure. He emphasized the necessity of robust security measures for DeFi projects to thrive and facilitate substantial on-chain investments.
Legal and Financial Repercussions
The consequences of the Kelp exploit have reverberated beyond mere technical strategies, with about $71 million related to the incident frozen on the Arbitrum network, sparking legal proceedings in a federal court in New York. Kelp DAO reiterated the importance of addressing the uncertainties surrounding this breach, vowing to secure their rsETH by utilizing reliable infrastructure that prevents similar vulnerabilities from arising.
