KelpDAO’s Plan to Restructure After Major Exploit
KelpDAO, a decentralised autonomous organisation, announced its intention to enhance security for rsETH cross-chain transfers following a significant breach that occurred on April 18, resulting in the loss of approximately US$292 million (AU$405.9 million) from its LayerZero bridge. The incident has led to an escalating dispute regarding the accountability for the exploit.
Security assessments indicate that the vulnerability stemmed from compromised verifier infrastructure. KelpDAO claims that personnel from LayerZero had given approval for a 1-of-1 verifier configuration, which subsequently facilitated the breach without providing adequate warnings about potential security risks.
Dispute Over Responsibility
LayerZero has contested KelpDAO’s assertion, stating that the exploit was confined to KelpDAO’s specific rsETH application and resulted from a divergence from their endorsed multi-verifier model.
Chainalysis, a prominent blockchain analysis firm, linked the exploit to the Lazarus Group, a hacking collective associated with North Korea, which reportedly siphoned off 116,500 rsETH through a combination of deceitful data input into the verifier system and compromising external nodes. According to their findings, the attack did not reveal a smart contract vulnerability but rather an off-chain infrastructure flaw.
In a swift response, KelpDAO halted its contracts and successfully blocked a further attempted theft of 40,000 rsETH (valued at around US$95 million or AU$132.1 million). Moreover, the Arbitrum Security Council moved to freeze 30,766 ETH related to the attackers. Currently, approximately US$71 million (AU$98.7 million) in cryptocurrency is embroiled in ongoing legal disputes in a federal court in New York.
Migration to Chainlink
In light of the exploit, KelpDAO plans to transition its rsETH from LayerZero’s omni-chain framework to Chainlink’s Cross-Chain Interoperability Protocol (CCIP). Chainlink CCIP employs a more robust setup involving 16 independent node operators to authenticate cross-chain transactions, thereby replacing the compromised infrastructure that was exploited.
Following the event, the broader decentralized finance (DeFi) sector has experienced significant turbulence. For instance, liquidity available in Aave’s V3 Ethereum Core dramatically dropped from US$9.77 billion (AU$13.58 billion) to US$5.75 billion (AU$7.99 billion) within a short span of 29 hours. Concurrently, the availability of Wrapped ETH (WETH) liquidity plummeted from US$689 million (AU$957.7 million) to a meagre US$1.5 million (AU$2.1 million) as utilisation rates soared to 100%.
As KelpDAO prepares for its migration, the implications of the exploit extend beyond its own operations, as the entire DeFi landscape grapples with the repercussions of security shortcomings and the need for enhanced protection measures.
For further developments on this story and more insights into the crypto landscape, follow trusted sources and stay updated as KelpDAO embarks on its journey towards improved security.
