- KelpDAO claimed that the $292 million to $294 million heist during the weekend was an attack on LayerZero’s infrastructure.
- The foundation’s statement came in response to LayerZero’s claim that it failed to leverage its full security stack.
KelpDAO, a liquid restaking protocol, was at the center of a controversy during the weekend following a $292 million to $294 million exploit. The foundation took plenty of heat following allegations that it didn’t leverage LayerZero’s (ZRO) full security stack in favor of convenience and cost savings.
On Monday evening (UTC), Kelp released its own official findings on the incident. This time, the report claimed that the attack focused on LayerZero’s infrastructure, not a fault limited to its platform.
What Happened to Kelp?
On Saturday evening, Kelp posted a notice to users, warning them about a “suspicious cross-chain activity” involving its Restaked ETH (rsETH). It forced the organization to pause its rsETH contracts across the mainnet and Layer 2 (L2) networks as an initial response.
Behind the scenes, the hacker found an exploit that tricked the system into minting 116,500 rsETH worth $292 million to $294 milion. Then, the perpetrator deposited the fraudulent assets into Aave (AAVE) as collateral to borrow 106,497 Ethereum (ETH).
Kelp was not the only one impacted by the attack, because even Aave experienced a significant amount of withdrawals for getting dragged into the affair. The event led to TRON (TRX) founder Justin Sun proposing to mediate between the hacker and KelpDAO to contain the potentially broader chain reaction resulting from the incident.
According to LayerZero’s probe, the North Korean hacking outfit Lazarus Group was behind the heist. Meanwhile, it confirmed Ripple CTO Emeritus David Schwartz’s suspicion that Kelp failed to take advantage of the omnichain interoperability platform’s advanced security features, including the recommended multi-DVN (Decentralized Verifier Network) configuration for network diversity and redundancy.
KelpDAO’s Official Statement
KelpDAO’s write-up titled “April 18 Incident: Additional Context” detailed its own account of the controversy. It highlighted that two RPC (Remote Procedure Call) nodes hosted by the LayerZero DVN were compromised.
From there, the culprit launched a simultaneous DDoS (Distributed Denial-of-Service) attack against a third RPC node. Kelp called it an “attack on LayerZero’s infrastructure” and denied that its own systems were involved in building or operating that infrastructure.
Furthermore, Kelp emphasized that LayerZero shipped its DVN under a default 1-of-1 configuration. The liquid restaking platform has been utilizing that same setup since January 2024.
The foundation admitted that the question on its DVN specs came up during its L2 expansion. However, it argued that the default settings already sufficed during that time.
Kelp urged the other parties involved to establish only a “shared and accurate account of what happened” to ensure proper evaluation of the case and cooperation among them. The organization ensured it had already prevented a possible contagion of the heist across decentralized finance (DeFi), plus it’s working with Aave, LayerZero, and other key stakeholders to evaluate next steps to avoid similar attacks in the future.
