Inside the LayerZero-Kelp Hack: Could This Flaw Spark a Deeper Crisis for Aave?

Interoperability protocol LayerZero claims that an inadequate setup tied to Kelp’s decentralized verifier network (DVN) enabled malicious actors to steal $290 million from Kelp DAO, adding that preliminary signs point to North Korea-linked threat actors.

An attacker drained about 116,500 Restaked ETH (rsETH), worth roughly $292-$293 million at the time, from Kelp DAO’s LayerZero-powered rsETH bridge on Saturday.

LayerZero said Monday that the exploit stemmed from a single point of failure in Kelp’s setup, which relied on a single LayerZero DVN as the only verified path, despite LayerZero previously advising them against this.

“LayerZero and other external parties previously communicated best practices around DVN diversification to KelpDAO. Despite these recommendations, KelpDAO chose to utilize a 1/1 DVN configuration.”

In practice, that meant Kelp relied on a single verification path for crosschain messages rather than requiring multiple independent checks.

The exploit quickly shifted attention from the technical cause to the question of who should absorb the losses, while the fallout spread into Aave, where the attacker used rsETH as collateral to borrow real liquidity.

Aave’s total value locked (TVL) has fallen by about $8.9 billion to $17.5 billion at the time of writing after the exploiter used the stolen funds to borrow on Aave, leaving about $195 million in “bad debt,” triggering withdrawals on the lending protocol.

LayerZero said Kelp’s rsETH bridge relied solely on the LayerZero Labs DVN, and argued that the incident reflected an unsafe application configuration rather than a compromise of LayerZero itself. The company said it is now urging all applications using 1/1 DVN setups to migrate to multi-DVN configurations and will stop signing or attesting messages for apps that retain the single verifier design.

Losses spark blame fight after $290 million Kelp exploit

With no recovery or compensation plan yet announced, users and market observers spent Monday debating whether losses should sit with Kelp DAO, LayerZero, Aave or rsETH holders themselves.

Yishi Wang, founder and CEO of open-source hardware wallet OneKey, said that the best path forward was to negotiate with the hacker, offer a 10% to 15% bounty, and get the bulk of the funds back.

“If negotiations fail, LayerZero’s ecosystem fund should foot the bulk of the bill—it’s got the deepest pockets and the most long-term skin in the game,” wrote the founder in a Monday X post, adding that Kelp DAO is “broke” and could make it up with tokens and future revenue, or consider selling the project.

Analytics platform DeFiLlama’s pseudonymous founder, 0xngmi, outlined three solutions, including the option to “socialize” losses among all users, “rug rsETH holders on L2s,” or try to return holder balances to a pre-hack snapshot, which would be “very hard to do,” he wrote in a Monday X post.

Cointelegraph reached out to Aave for comment, but had not received a response by publication.

Related: Hyperbridge attacker mints 1B bridged Polkadot tokens in $237K exploit

Exploit raises Aave liquidation risks

Investor concerns about the Kelp exploit have significantly reduced Ether (ETH) liquidity on Aave, the lending protocol’s core collateral asset.

This low liquidity presents a “critical safety risk where liquidations of ETH collateral cannot take place while markets are at 100% utilization,” said MoneySupply, the pseudonymous head of strategy at Aave competitor lending protocol Spark, in a Saturday X post.

“With current illiquidity conditions on Aave, a 15-20% ETHUSD price drop could cause significant bad debt accumulation (on top of any potential issues attributable to the direct rsETH exploit),” he said.

Aave said it immediately froze all rsETH in Aave v3 and V4, preventing further damage. Aave’s own smart contracts were not exploited.

Magazine: Meet the onchain crypto detectives fighting crime better than the cops