TLDR
- Kelp exploit linked to a single DVN setup, exposing a critical weakness in cross-chain verification systems used by the protocol.
- Around $290M in rsETH was drained, with early signs pointing to North Korea-linked threat actors behind the attack.
- Aave now faces nearly $195M in bad debt after an attacker used stolen assets as collateral to borrow liquidity.
- Falling ETH liquidity on Aave raises risks, with potential liquidation issues if prices drop sharply in current conditions.
LayerZero has attributed the $290 million Kelp exploit to a flawed verifier setup, drawing attention to risk management across DeFi systems. The incident has also raised concerns around Aave’s exposure, as users question how losses from the Kelp exploit will be handled.
Kelp exploit traced to single verifier setup
The Kelp Hack has been linked to a configuration issue involving LayerZero Labs and Kelp DAO. According to LayerZero, Kelp relied on a single decentralized verifier network path, creating a point of failure.
LayerZero explained that Kelp used a 1/1 DVN setup despite earlier guidance recommending multiple verifiers. This structure allowed attackers to bypass safeguards and execute the Kelp Hack without additional verification layers.
In a public statement, LayerZero reiterated that it had communicated best practices earlier. The company stated that relying on one verifier path weakened the system’s resilience against attacks.
The attacker drained about 116,500 rsETH during the Kelp Hack, valued at nearly $293 million. Early assessments suggest links to North Korea-associated threat actors, though investigations are still ongoing.
LayerZero clarified that its core protocol remained intact during the Kelp exploit. It stressed that the issue stemmed from application-level configuration rather than a breach of its infrastructure.
The company also announced plans to stop supporting applications using single verifier setups. It is urging all projects to adopt multi-DVN configurations to prevent another Kelp Hack.
Aave faces pressure as bad debt concerns grow
The Kelp exploit quickly spread risk into Aave, where stolen assets were used as collateral. The attacker borrowed liquidity, leaving the protocol with nearly $195 million in bad debt.
As a result, Aave’s total value locked dropped sharply, falling to around $17.5 billion. This decline followed large withdrawals triggered by uncertainty linked to the Kelp exploit.
Market participants have begun debating who should absorb losses from the Kelp exploit. Some argue that Kelp DAO should take responsibility, while others point toward LayerZero or Aave.
In a statement referenced during discussions, OneKey CEO Yishi Wang suggested negotiating with the attacker. He proposed offering a 10% to 15% bounty to recover most funds tied to the Kelp exploit.
Meanwhile, DeFiLlama’s founder outlined several recovery paths in another post. These included distributing losses among users or attempting to restore balances before the Kelp exploit occurred.
Concerns have also grown around Ethereum liquidity within Aave following the Kelp exploit. Reduced liquidity levels have raised fears about potential liquidation challenges during market stress.
Analysts warned that a 15% to 20% drop in ETH prices could worsen the situation. Under such conditions, Aave may struggle to process liquidations efficiently, increasing exposure to further bad debt.
The Kelp exploit has, therefore, placed multiple protocols under scrutiny. Questions remain about accountability, recovery strategies, and how similar risks can be managed across interconnected systems.
