Last month, the entire decentralized finance sector experienced the biggest cyber attack on one of its cross-chain bridges, which shook the entire community. On April 18, Kelp DAO, a popular liquid staking protocol, faced a bizarre hack and lost approximately $292 million in rsETH tokens after its cross-chain bridge linked to LayerZero got exploited in the cyber attack.
What makes this cyber attack dangerous is that it did not happen only due to a bug in its smart contract in Kelp DAO. Instead of that, this exploitation was a very cleverly launched cyber attack, which included an attack on infrastructure along with a single point of failure in verification, and many more.
According to cyber experts, this attack was directly linked to North Korea’s Lazarus Group. This attack has clearly exposed that some cross-chain bridges still lacks security releated issues. This attack has highlighted weaknesses present in the DeFi sector. After this attack, rsETH, restaked Ethereum for yield, has quickly become unbacked on a huge level. This attack has created panic in the entire DeFi sector.
How Kelp DAO Got Exploited on April 18
According to some experts, hackers have managed to launch an attack on Kelp DAO’s bridge by using LayerZero’s Omnichain Fungible Token (OFT) standard. By doing this, hackers were able to transfer rsETH between different blockchain networks such as Ethereum, Arbitrum, and others. During this attack, Kelp DAO had around 156,000 rsETH locked in the Ethereum-based escrow for bridging.
In this attack, hackers first created funding wallets by using privacy tools around 10 hours before the main attack. One of the major problems in Kelp DAO is that it was using a 1-of-1 Decentralized Verifier Network. In simple words, it was using only one verifier to approve a cross-chain message for it to approve it.
After launching the attack, hackers took control of internal RPC nodes, which are generally servers that are responsible for blockchain-based data requests. These RPC nodes were linked to the verification system.
At the same time during this attack, hackers also launched a DDoS attack on the external RPC nodes to take them offline during this attack.
This initial attack created a system that was fully dependent on the nodes controlled by attackers. After this attack, the attackers sent a fake message in which they claimed that rsETH had been burned on another chain. In reality, there was no such burning event for tokens.
The single verifier has approved the “forged packet.” By doing this, they smartly deceived the bridge on the Ethereum side into transferring 116,550 rsETH to an address owned by hackers. This was around 18% of the supply at that time. The irony is that this whole attack was looking legit on the blockchain because the contracts worked in the right way. In this attack, no smart contract was compromised or exploited.
After this attack came to light, the Kelp DAO team noticed unusual activity and decided to pause smart contracts within 46 minutes using their emergency multisig. This action has prevented the attackers from stealing more funds, as they were blocked.
However, attackers have quickly moved the stolen rsETH. They swapped these tokens into Ethereum and moved across different chains. To hide their footprints, hackers have also deleted logs and malware traces.
How AAVE and Entire DeFi Sector Faced Scars of Kelp DAO Attack
While the main attack took place on Kelp DAO, the real problem was that the attack spread across different chains and protocols. After stealing money, attackers have placed large amounts of the unbacked rsETH as collateral on major lending platforms, including AAVE. In return, they got real WETH against the fake collateral. This has created bad debt across Aave and many other protocols.
Aave is one of the biggest lending protocols in the DeFi world. This bad debt news has created panic among its users as well as the DeFi community. Users have started pulling out their money from the protocol because they think that this attack would create turmoil in the protocol.
In just 48 hours, Aave lost around $6 billion to $8.5 billion. At the same time, the total value locked across all DeFi dropped by $13 billion. Some pools became dry after the usage rate increased by 100%, which means that there was almost no liquidity available for withdrawals. In just a short time, the AAVE token price has plunged by around 18%. The entire staking and liquid staking sectors crumbled by this attack, as users thought that it could create problems in more protocols.
(Source: Chainalysis)
On April 20, the Arbitrum Security Council announced that it used its power to freeze around 30,766 Ethereum, which is worth around $71 million, linked to the hacker on Arbitrum. They have moved these stolen tokens to a wallet managed by the governance system.
This was not simple freezing, as Arbitrum has made a temporary upgrade to the contract so that they could send a message on behalf of the attacker address.
AAVE and Partners Launched “DeFi United”
As this cyber attack has created bad debt, the DeFi community came together to work on plan how to cover this loss from the Kelp DAO hack. Aave and its partners launched a program called “DeFi United”, which is a joint recovery effort. One after another, many protocols and DeFi entities have joined this program.
This group of DeFi entities has raised around $300 million, as contributions came from various decentralized autonomous organizations (DAOs) and protocols like Ether.fi. The main purpose of this recovery effort is to restore balanced backing for rsETH by depositing Ethereum in different stages.
This group has also released detailed technical plans for covering bad debt. These plans also include compensation for affected users to bring stability in the DeFi sector.
As of now, the team has carried out liquidations of the exploiter positions on both Ethereum and Arbitrum. On the other hand, the collateral was transferred to a recovery guardian for keeping it safe. They have also created a schedule for payouts for affected users who lost their money in this incident.
Lessons
Kelp DAO hack has given two major lessons which DeFi community must focus on. The first one is the single points of failure in the Kelp DAO hack, which is very dangerous. By trusting only 1 of 1 verifier, the entire system became as strong as its single link. These protocols must integrate multi-DVN infrastructure or any other strong decentralized verification.
The second biggest lesson of this attack is that the cross-chain bridges are still so vulnerable to cyber attacks. Even if there is no bug present in the smart contract, hackers can still exploit them by attacking RPC nodes.
In order to grow the DeFi sector, it is very important to address these issues before it’s too late.
Also Read: How Institutions Invest in Secure Crypto Custody
See less
