2 weeks ago by Kelp
On April 18, rsETH was drained from rsETH bridging adapter through a forged cross-chain message. We want to ensure users and partners have the complete picture as the broader post-incident review continues.
What happened.
Two RPC nodes hosted by LayerZero were compromised. A simultaneous DDoS attack was launched against the 3rd RPC node. This was an attack on LayerZero's infrastructure. Kelp's own systems were not involved in building or operating that infrastructure.
Kelp’s response helped contain the situation
Kelp detected the anomaly, paused all relevant contracts on Ethereum mainnet and L2s, blacklisted all wallets associated with the exploiter, and engaged SEAL-911.
A subsequent attempt by the exploiter, leveraging a falsely verified phantom packet to target an additional 40,000 rsETH (~$95M), was fully mitigated by these interventions.
On the DVN configuration
The 1-of-1 DVN setup is the configuration documented in LayerZero's documentation and shipped as the default for any new OFT deployment. Kelp has operated on LayerZero infrastructure since January 2024 and has maintained an open communication channel with the LayerZero team throughout. The question of DVN configuration came up during Kelp's L2 expansion, and defaults were affirmatively confirmed as appropriate at that time.
Establishing a shared and accurate account of what happened is the foundation for making the right fixes together.
The path forward
Kelp’s priority is our users and preventing contagion across DeFi. We are working with all ecosystem partners to analyse the impact, rally support, and explore all avenues of mitigation.
We are concurrently assessing the potential next steps regarding protocol unpausing, impact assessment, and the way forward, and working with Aave, LZ, and all other key stakeholders.
Reactions and replies to this article.
Gopi Kannappan
@gopikannappan
Thanks for the write-up. Just shipped SecureOApp - an open-source SDK that refuses to deploy OApps with 1/1 or homogeneous DVN configs. Makes the 2/3+ZK recommendation compile-time enforceable, not just documented. https://t.co/s9SqxeVh4T
Ildar Absalyamov
@glirynice
Stay strong. Community knows this is not your faults. 1/1 setup was basic standard of LZ. DVNs it's new feature, which exists less than 2 years. Poisoned RPC, ddos for external RPC and Unichain decreased number of RPC providers, all of it not on kelp side.
sashka_al
@sashkaal1
"@KelpDAO, it is your responsibility to cover the $230M hole caused by the rsETH exploit. Retail ETH depositors in @Aave should not pay for your smart contract failure. Use your treasury and collateral to make everyone whole now! #KelpDAO #Aave #Ethereum"
Stimpy
@stimpy_west
@Slothfulbeing_ @KelpDAO 100% agree, creditors take on this risk when they make ETH available on Aave and they should know this kind of risks, they accept it. It makes sense that they should bear the consequences and no one else.
CryptonautX
@cryptonautx_
Appreciate the transparency, Kelp team. Quick detection, fast pause, blacklisting the exploiter, and successfully blocking the follow-up $95M attempt shows real professionalism under pressure. Thanks for putting users first and working with partners on a full recovery.
Dhile Bean
@dhileeb27599
A hack on LayerZero’s nodes led to a $292M loss due to weak security. @KelpDAO moved fast, but couldn’t stop it. This mistake impacted trust in #DeFi overall.
Cojack
@cojack19113
@axelar @KelpDAO @axelar stop talking. You guys don’t even know how to communicate when your team splits up and when there’s talk about your project being dead! Please stop trying to be relevant now!!
Jenita
@jenitaasa
The attack route was far from straightforward. It required breaking through or pressuring several different layers. That kind of complexity makes it tough to defend.
Graci Ryngksai
@graciryngka
People are overlooking how quickly Kelp paused activity across chains a level of coordination that isn’t easy under pressure and likely played a key role in preventing further damage.
Sarah Jones
@neroxshd
Cross-chain design is powerful, but this shows how fragile things can get without proper verification layers in place. #bitcoin #bingx #bbvipal5
-
@0xhons
best to just leak the logs of conversations with the lads at @LayerZero_Core at least you win the CT back x forth.
RN
@19rn70
@Successj08 @KelpDAO Reacting to 290 millions out the door is not after things went wrong?