Home
News
Details

2.9 Billion Theft Sparks Responsibility Debate Between Aave, LayerZero, and Kelp DAO

iconOdaily
Share
Share IconShare IconShare IconShare IconShare IconShare IconCopy
This is the logo of the coin.
ETH
$2,317.530.51%
This is the logo of the coin.
LDO
$0.379-0.52%
This is the logo of the coin.
AAVE
$95.7712.51%
This is the logo of the coin.
XRP
$1.43080.09%
This is the logo of the coin.
BTC
$77,722.900%
AI summary iconSummary

expand icon
A $2.92 billion theft from Kelp DAO’s rsETH bridge has sparked a dispute over responsibility between Aave, LayerZero, and Kelp DAO. LayerZero blames Kelp DAO for its 1/1 DVN configuration, while Aave faces criticism for granting lending permissions to rsETH. Kelp DAO is now insolvent, leaving Aave and LayerZero to negotiate. Aave recently clarified that rsETH on the Ethereum mainnet is fully backed, possibly to protect its core product. Technical analysis for crypto suggests market sentiment remains cautious as the situation develops.

Original | Odaily Planet Daily (@OdailyChina)

Author | Azuma (@azuma_eth)

More than 30 hours have passed since the rsETH bridge contract of Kelp DAO was compromised. Although the involved parties (LayerZero, Kelp DAO, Aave) have gradually issued statements—primarily deflecting blame and emphasizing their own innocence—they have yet to provide a final resolution.

Therefore, this article aims to discuss the current positions and attitudes of the parties involved, explore the reasons for the delay in finalizing the proposal, and attempt to speculate on how the event might ultimately be resolved.

Odaily note: For background, see "DeFi Again Hacked for $292 Million—Is Aave No Longer Safe?".

Who should be held responsible?

First, let's discuss the issue of responsibility assignment.

According to details disclosed by LayerZero, the immediate cause of the incident is now clear: the downstream RPC infrastructure relied upon by LayerZero’s decentralized validator network (DVN) was compromised (see analysis by Yu Xian, founder of SlowMist), and since Kelp DAO’s bridge contract uses a 1/1 DVN configuration, an attacker needed only to forge a single message validation to successfully execute the attack.

LayerZero considers Kelp DAO, which adopted a 1/1 DVN configuration, to be the most directly responsible party in this incident. There’s nothing to say—such an obvious single point of failure is truly outrageous.

However, as the underlying cross-chain protocol, LayerZero should also bear partial responsibility. LayerZero allows each upper-layer application to independently configure the number and threshold of DVNs; although the 1/1 DVN configuration was chosen by Kelp DAO, as the designer of the underlying architecture, LayerZero should have avoided this clearly flawed setup.

Finally, there are lending protocols like Aave (with a focus on Aave here). Although they are also indirect victims, objectively speaking, Aave granted excessive borrowing limits to LRT assets such as rsETH in pursuit of expansion, directly leading to its current precarious position. Notably, Aave’s former risk management team, BGD Labs (which has since parted ways with Aave), explicitly flagged the DVN issue with Kelp DAO back in January last year. Kelp accepted the recommendation at the time, but clearly made no changes... Aave’s failure to continue monitoring and take appropriate action is therefore self-inflicted.

The responsibility is clearly defined: Kelp DAO is primarily responsible, LayerZero is secondarily responsible, and Aave also bears some indirect responsibility.

The awkward reality

The real-world situation is always more complex than theoretical expectations. The most critical issue is that the Kelp DAO team, which bears primary responsibility, cannot come up with enough funds to cover the shortfall... Whether it's directly writing off losses from all rsETH or betraying Layer2 holders, both paths are essentially dead ends.

So who has the money? The first is LayerZero, which has suffered a reputational crisis due to this incident and has been temporarily suspended by multiple institutions and protocols including Bitgo, Tron, Ethena, Curve, and ether.fi, watching as it may lose a significant portion of its cross-chain share. The second is Aave, which faces massive potential bad debt and is seeing tens of billions of dollars in TVL drain away.

So now the motives of all parties are clear. The primary responsible party, Kelp DAO, is essentially paralyzed and unable to lead subsequent compensation efforts—it must consult with the two major players on what to do next. Meanwhile, the secondary and indirect responsible parties, LayerZero and Aave, have both stated that their protocols have no vulnerabilities, making it clear they have no intention of easily taking on such a massive burden... Thus, the situation now appears to be at a standstill.

But I don’t believe this situation will last long, as both protocols have a strong incentive to resolve the issue quickly—LayerZero cannot afford to abandon its OFT cross-chain ecosystem, and Aave cannot ignore the ongoing outflow of its existing funds.

The key point of contention among all parties

This morning, Aave issued an update regarding this incident, with the most important point being that Aave emphasized "rsETH on the Ethereum mainnet is fully backed."

How should this sentence be understood? It requires an explanation of rsETH's design.

rsETH is a liquid restaking token issued by Kelp DAO, with each rsETH backed by 1 ETH actively staked and restaked in the system, following the path: "ETH - Lido - EigenLayer - Kelp DAO - rsETH".

rsETH on the mainnet is the original receipt token issued by Kelp DAO on Ethereum. To expand within the Layer2 ecosystem, Kelp DAO uses LayerZero’s cross-chain bridge contract (the component involved in this incident) to map mainnet rsETH to various Layer2 networks. For every 1 rsETH issued on a Layer2, an equivalent rsETH on the mainnet is locked in Kelp DAO’s custodial contract and will only be released when the Layer2 rsETH is bridged back to the mainnet.

Alright, let’s return to the incident itself. As mentioned earlier, the cause of the theft was that the hacker deceived DVN to forge a cross-chain message, causing the bridge contract to “incorrectly release” 116,500 rsETH—note that this did not involve minting new coins out of thin air, but rather retrieving original tokenized assets from the mainnet that should not have been released.

The issue is precisely this: these tokens were already circulating on Layer 2 via mapping, while the tokens on the mainnet were locked. However, after the hack, the attacker deposited them into lending protocols like Aave and borrowed more liquid WETH, enabling their escape—again, emphasize that the rsETH deposited by the hacker was genuine, which is why Aave supported collateralized lending for this token.

It’s now interesting to revisit Aave’s statement. The claim that “rsETH on Ethereum mainnet is fully backed” essentially means: “These tokens are real—Kelp DAO, you should support us in redeeming these for the underlying ETH (contract paused, redemptions currently unavailable)... As for the Layer2 mapped versions of rsETH that have lost their mainnet backing, I can’t do anything about those!”

This is likely Aave’s preference. Although emphasizing the value of mainnet rsETH means disregarding the value of the Layer 2 mapped version of rsETH, and given that Aave itself holds a certain amount of rsETH debt positions on Layer 2 (currently $359 million), this could also lead to some bad debt. However, choosing the lesser of two evils, Aave has probably assessed the potential impacts of both options and determined that preserving its core mainnet product better aligns with its maximum interests.

But this is only Aave's stance; the final resolution will depend on whether agreement can be reached with LayerZero and Kelp DAO.

Although the latter has not yet issued any further statement, I personally believe LayerZero will find it difficult to accept this proposal, as abandoning Layer2 mapped tokens would directly threaten LayerZero’s cross-chain reputation.

Potential solutions

Problems will eventually be solved. Over the past couple of days, various industry leaders on social media have been offering advice to Aave, LayerZero, and Kelp DAO.

DefiLlama founder 0xngmi has outlined three possible paths, but noted that each has significant flaws. The first path involves all rsETH holders collectively bearing a 18.5% value write-down (ratio of lost tokens to issued tokens), with Kelp DAO absorbing the loss and Aave shouldering approximately $216 million in bad debt on mainnet; the second path disregards the value of all Layer2-mapped rsETH, preserving Aave’s mainnet product but likely causing the Layer2 ecosystem to collapse and reducing Kelp DAO’s reputation to zero; the third path entails fully reimbursing rsETH holders as of a snapshot taken before the hack, while later buyers or transferees bear their own losses—but due to significant token movement after the attack, this approach is practically unfeasible to implement.

OneKey founder Yishi said: “The best outcome now is to negotiate with the hackers and offer a 10–15% bounty to recover the majority, leaving everyone satisfied. If negotiations fail, the LayerZero ecosystem fund should cover the bulk—it has the most resources and the strongest long-term interests, and even if it incurs losses, it can preserve the OFT ecosystem. Kelp DAO is the poorest; it must either compensate with tokens plus future revenue, or sell the entire project outright to LayerZero or Bitmine. Aave’s Umbrella and stkAAVE serve as the final safety net, but WETH depositors must not suffer any value write-downs; otherwise, Morpho, Spark, Fluid, and Euler would all be repriced, the LRT sector would be blacklisted, and the entire DeFi industry would regress by three years.”

In any case, all parties will surely continue to argue for some time, given that hundreds of millions of dollars are at stake, and no one wants to be the biggest sucker.

As for how much more time is needed to deliver a solution, as mentioned earlier, neither of the two giants can afford to delay much longer. LayerZero is currently being forcibly paused by its numerous partner institutions and protocols; if this continues, these partners will inevitably switch to alternative cross-chain pathways. Aave’s situation is no better—multiple liquidity pools have reached 100% utilization, leaving depositors effectively locked in... If ETH were to plummet suddenly, Aave could face even more bad debt due to its inability to execute effective liquidations (which is already the case today), causing problems to snowball out of control. If this happens, the very foundation of the industry could be undermined—clearly, no one wants to see such a scenario unfold.

Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.