#What happened in the Kelp DAO attack
Kelp DAO, a liquid restaking protocol, recently experienced a significant security breach resulting in an estimated $292 million in damages. The incident has also caused disruption in the Aave lending protocol, raising concerns within the decentralized finance ecosystem.
The exploit was initially discovered by blockchain investigator ZachXBT around 2:52 PM on April 18. The attacker exploited vulnerabilities in LayerZero’s cross-chain messaging system, tricking it into endorsing a fake transfer request from an external chain. This fraudulent instruction led to the unauthorized transfer of 116,500 rsETH, which is Kelp DAO's Liquid Restaking Token. Notably, this amount accounts for approximately 18% of the total circulating supply of rsETH, which is around 630,000 tokens.
In response to the attack, Kelp DAO activated emergency measures, halting all rsETH deposits and withdrawals while collaborating with LayerZero and Unichain to assess the situation.
#Where were the stolen funds directed?
Following the breach, the attacker moved the stolen rsETH into various lending protocols, including Aave V3, Compound V3, and Euler. This individual then borrowed substantial amounts of wrapped ETH as collateral, eventually accruing over $236 million in debts. Subsequent investigations revealed that the attacker had consolidated approximately 74,000 ETH after the exploit, resulting in over $280 million in liabilities across different platforms.
In light of these events, Aave temporarily suspended rsETH markets on both Aave V3 and Aave V4. It was made clear that while Aave's smart contracts remained uncompromised, the exploit was a result of vulnerabilities associated with rsETH. Aave has since initiated thorough evaluations of rsETH-backed loans established after the event to determine exposure risk and to devise strategies for mitigating any resultant bad debt.
#How did other platforms react?
Other protocols, such as SparkLend and Fluid, took similar precautionary actions, with SparkLend reporting no exposure to rsETH due to its conservative risk management policies. Lido Finance paused deposits into its earnETH product, which is linked to rsETH, while affirming that its core staking protocol and the stETH token remained unaffected.
In an excess of caution, Ethena, a stablecoin issuer, temporarily shut down its LayerZero bridges from the Ethereum mainnet despite not having any exposure to rsETH. This precautionary measure was put in place to ensure the safety of funds pending the identification of the exploit’s root cause.
#What are the implications for DeFi?
The recent attack marks the most significant DeFi exploit of the year and follows closely on the heels of another major breach involving the Solana-based Drift Protocol, which suffered a loss of approximately $285 million linked to North Korean actors. In the weeks following, numerous smaller platforms have also succumbed to similar attacks, including CoW Swap, Zerion, Rhea Finance, and Silo Finance.
Aave, whose token price saw a decline of about 10% following news of the exploit, now faces a challenging landscape as the DeFi sector contends with security risks and the trust of investors hangs in the balance.