where did the kelp $292m go? anatomy of a $292m laundering.
The Smart Ape 🔥 • 580K views
25 replies
Updated 3 days ago • 6 articles
A $290M exploit of KelpDAO's LayerZero bridge implementation for rsETH, likely executed by North Korea's Lazarus Group, has exposed a critical gap in how DeFi protocols evaluate cross-chain infrastructure security.
On April 18, KelpDAO lost approximately $290 million in the largest DeFi exploit of the year, likely attributed to North Korea's Lazarus Group.
The attack exploited weaknesses in LayerZero’s cross-chain messaging infrastructure, triggering emergency freezes across countless protocols. Contagion spread to Aave as assets became stranded due to utilization rates spiking to 100% with bad debt looming, leading to billions being wiped from its TVL.
The incident has forced a broader reckoning across DeFi around composability risk, cross-chain security standards, and whether users can ever truly price the risks buried in the infrastructure beneath the protocols they use.
The Smart Ape 🔥 • 580K views
azeem • 7K views
Cork Protocol • 2K views
Cork Protocol replied
Omer Goldberg • 20K views
Omer Goldberg replied
Kelp • 315K views
LayerZero • 1.8M views
Dankrad Feist & 2 others
Zacharias Mitzelos
@zmitzie replying to KelpDAO Incident Statement
What happens when a new chain integrates with LayerZero but doesn't have a mature RPC ecosystem? Is one RPC powering all 3 DVNs that usually come by default when LZ integrates with a new chain? Because if you configure 3/3 DVNs, but they’re all pulling from the same RPC provider (sometimes the RPC is run by the team), that’s the same as using 1 DVN. From LZ's docs it's not clear what/how many RPCs the DVNs use or if they run their own nodes. Multi-DVN only works if independence exists all the way down the stack. Otherwise we risk recreating hidden single points of failure, especially on new chains