BRIDGE OVER TROUBLED WATERS: Kelp DAO Exploit Sends DeFi Into A $300M Panic As Projects From ApeCoin To Pengu Close Their LayerZero Bridges
Kyle
4 days ago
3 min read
A storm of fear, uncertainty, and doubt hangs over crypto after attackers drained nearly $300 million from Kelp DAO’s LayerZero powered bridge, prompting users to pull funds from DeFi protocols and sending projects scrambling to secure themselves against similar exploits and potential contagion.
On Saturday, Kelp DAO, a major liquid restaking protocol on Ethereum, had its LayerZero powered crosschain bridge compromised. The bridge issues rsETH, a token that represents a share of restaked Ethereum in the system, and attackers ultimately made off with roughly 116,500 rsETH.
From there, the attackers moved to Aave, the world’s leading DeFi lending protocol, where they deposited the compromised rsETH as collateral, borrowed large amounts of WETH, and effectively left Aave holding hundreds of millions of dollars worth of potentially worthless rsETH.
Following the attack, Aave paused its rsETH markets and took to the timeline to update the space this afternoon.
“According to our analysis, rsETH on Ethereum mainnet is fully backed,” the dApp tweeted. “Out of an abundance of caution, rsETH remains frozen across Aave V3 and V4 and exposure to the incident is capped. WETH reserves also remain frozen across affected markets including Ethereum, Arbitrum, Base, Mantle, and Linea. Aave is actively validating information and assessing potential resolutions.”
While that message may sound reassuring, Yuga Labs VP of Blockchain 0xQuit noted that the wording raises concerns for anyone holding rsETH outside of Ethereum mainnet, especially since rsETH and Kelp DAO operate across multiple chains via LayerZero.
“The Aave situation is bad and getting worse,” 0xQuit wrote. “Multiple other pools are hitting 100% utilization, leaving lenders stuck and the protocol at risk of further bad debt. Lending rates have increased to 10-15%, a notable increase but still not an appropriate reward for the perceived risk of potentially backstopping a $300m hole. The market is demanding clarity - who will be saddled with the bad debt from rsETH? Once that it cleared up, I expect panic to subside. Trust in Aave and defi will remain lower than before, but it may be enough to get the machine churning again at a lower TVL. Lots of uncertainty right now with zero comms from LZ or Aave, and markets hate uncertainty. To be clear I think there is a path forward here to rebuild trust and escape without incurring more bad debt, but the longer resolution takes the harder it gets. Hopefully we get answers soon.”
As we wait to find out who will cover this nine-figure hole in the DeFi market, projects like Tron, Pengu, Moca, ApeChain, and others have paused their LayerZero bridges until the crypto world has a better understanding of how this happened.
“ApeChain is not affected by the Kelp DAO situation,” ApeCoin tweeted.” Out of an abundance of caution, we've decided to pause any bridges that rely on Layer0 until we have a full understanding of the situation. There's no need to move things around. There are plenty of bridges if you want to bridge for any reason. “
Pudgy Penguins' Beau echoed ApeCoin's concerns tweeting, "PENGU has not been affected by the rsETH exploit. Out of an abundance of caution, we've temporarily paused PENGU OFT bridges that rely on Layer0 until we gain a full understanding of yesterday's exploit. We'll provide an update once bridging has been restored."
For a full list of projects that have paused their Layer Zero bridges, check out the thread below:
LayerZero has said they are working to determine exactly how the rsETH exploit occurred and plan to publish a complete post-mortem with Kelp DAO soon.
The Gazette will continue to follow all things DeFi and LayerZero and will let you know when we have more answers than questions. Stay tuned for updates!
Comments