Home
News
Details

Kelp DAO Hack Sparks Debate on Cross-Chain Bridges and Layer 2 Security

iconChaincatcher
Share
Share IconShare IconShare IconShare IconShare IconShare IconCopy
This is the logo of the coin.
ETH
$2,304.77-0.82%
AI summary iconSummary

expand icon
A recent security breach at Kelp DAO has triggered on-chain news coverage focusing on concerns regarding cross-chain bridges and Layer 2 security. LayerZero’s default single-validator configuration was exploited, drawing sharp criticism. Arbitrum froze and transferred 30,766 ETH ($71 million) from the hacker’s wallet, fueling debates over centralization. The incident has reignited discussions on balancing decentralization and security in DeFi.

Author: Gu Yu, ChainCatcher

More than 40 hours after the theft, the ripple effects triggered by Kelp DAO continue to unfold, drawing in an increasing number of prominent projects such as Aave, LayerZero, and Arbitrum, and even leading to certain popular narratives facing a death sentence.

Prominent KOL Feng Wuxiang stated on X that only ETH is safe now, and ARB has also authorized the freezing of customers' assets. None of the L2s are true L2s anymore. L2s rose with Arbitrum, and they will fall with Arbitrum.

Another well-known KOL, Lanhu, stated that the biggest loser in this kelp incident was not Aave or Kelp, but LayerZero—however, it was too short-sighted to recognize the true nature of the event. The essence of this incident was not a refutation of L2s (even fake L2s are acceptable), but a refutation of cross-chain bridges.

Increasingly heated opinions are emerging in the public discourse, with the parties involved each sticking to their own claims and blaming one another, making the Kelp DAO theft incident a typical window for observing the allocation of security responsibility and the conflict between pragmatism and technological fundamentalism.

I. Has L0 been disproven? Cross-chain bridges become the biggest losers

The key event was LayerZero's detailed report on the cyberattack released yesterday, which preliminarily attributes the attack to the Lazarus Group, believed to have North Korean ties. The attackers compromised the downstream RPC infrastructure that LayerZero's decentralized verification network (DVN) relies on, taking control of certain RPC nodes and coordinating a DDoS attack to force the system to switch to malicious nodes, thereby forging cross-chain transactions.

“Using compromised nodes to poison the RPC infrastructure, combined with DDoS attacks on unaffected RPCs to force a failover, is an extremely sophisticated approach. This is essentially infrastructure warfare,” said Samuel Tse, Head of Investment and Partnerships at Animoca Brands.

At the end of the report, LayerZero stated that the protocol operated exactly as intended throughout the incident. No vulnerabilities were found in the protocol. The core feature of LayerZero’s architecture is modular security, which in this case perfectly achieved its intended goal by isolating the entire attack to a single application—resulting in zero contagion risk, with no impact on other OFTs or OApps.

This complete abdication of responsibility became the catalyst for a massive public backlash, with many prominent industry figures expressing dissatisfaction with LayerZero’s performance in this incident.

L0 cleaned its hands completely, blaming all the blame in the entire article on KelpDAO’s misconfiguration, claiming it had zero issues itself. Amazing. Why was a 1/1 configuration even allowed? How did the attacker gain access to the internal RPC list? Why did the failover logic, after the DDoS attack, blindly trust the compromised RPC without halting validation or even taking any minimal action?” asked renowned industry researcher CM.

This deliberate avoidance makes me uncomfortable. The statement clearly says, “The protocol is operating exactly as expected.” The attack was described as an RPC node compromise and RPC poisoning. But RPC poisoning is not what happened— their own infrastructure was breached and compromised. Since the statement doesn’t explain how the breach occurred, I won’t rush to re-enable the bridge,” said renowned DeFi developer banteg.

Kelp DAO also issued an official statement, noting that the single-validator (1/1) configuration that led to this attack was not a choice made in disregard of recommendations, but rather the default setting in LayerZero’s official guidelines, and that the validator network (DVN) exploited by the attacker is LayerZero’s own infrastructure.

According to Dune's analysis, of the 2,665 OApp contracts built on LayerZero, 47% use a 1/1 DVN configuration, meaning a single-verification mechanism, which significantly amplifies industry-wide risk.

More terrifying than the occurrence of problems is when parties refuse to acknowledge or avoid their mistakes. As the leading player in cross-chain communication and the LayerZero narrative, hundreds of crypto projects rely on its cross-chain infrastructure to bridge tokens and assets across different chains. If it continues to maintain an arrogant stance, it will inevitably further erode industry confidence in it.

The general consensus is that, although LayerZero was not directly hacked, it has suffered the greatest reputational damage—it must pay the price for “allowing weak configurations,” or else the cross-chain narrative will collapse.

In other words, LayerZero not only needs to propose clear technical improvements but also take on greater responsibility in the asset compensation plan.

Two: Is Layer2 Dead? Arbitrum’s Unprecedented Freeze

The discussion around Layer 2 stems from Arbitrum’s freezing action. At noon today, the Arbitrum Security Council announced that it had taken emergency action to rescue 30,766 ETH held by the hacker at an Arbitrum One address, currently valued at $71 million.

Arbitrum also stated that, after extensive technical investigation and deliberation, the Security Committee identified and implemented a technical solution to transfer funds to a secure location without affecting any other chain state or Arbitrum users. The original address holding the funds can no longer access them, and only the Arbitrum governance authority can take further action to transfer these funds—a move that will be coordinated with relevant parties.

According to industry insiders, the Arbitrum Security Council used a privileged state override transaction type (part of ArbOS, but virtually never used) to allow the attacker's private key to still sign transactions, while the ETH at that address was transferred by the chain itself.

This special transaction type completely bypasses the attacker’s private key and can only be injected by the chain itself (via the sequencer / ArbOS upgrade path, controlled by the Arbitrum Security Council).

It is reported that the Arbitrum Security Council consists of 12 individuals elected by the Arbitrum DAO, and any decision requires approval from at least 9 out of the 12 members.

A single stone stirs up a thousand waves. Previously, outside observers believed that Arbitrum, as a representative Layer 2 solution, did not have the capability or authority to handle users' ETH assets, as this would contradict the decentralized spirit of blockchain.

In past hacking incidents, stolen USDT and USDC were often frozen immediately by Tether and Circle to minimize user losses. ETH, as a native chain asset, has never been frozen or transferred by the chain itself, exceeding the expectations of the vast majority of users.

Many perspectives support Arbitrum’s approach, such as “All companies, banks, and regulated financial institutions will eventually adopt layer-two solutions. Operating like a centralized entity at critical moments is not a flaw, but an advantage.” However, this is not the case for many tech enthusiasts.

“No private key required, no authorization needed, direct transfers.” In many views, Arbitrum’s recent action has redefined the level of decentralization on Layer 2, causing unease among users on Layer 2.

Lan Hu frankly stated that this incident has directly crossed the ideological red line of DeFi: "Not Your keys, not your coins." This event once again brings us back to the classic dilemma in crypto: pragmatic security versus fully decentralized security.

Conclusion

When LayerZero said the protocol was operating exactly as intended, it maintained technical correctness but lost public opinion and trust; when Arbitrum used privileged transactions to transfer $71 million in ETH, it rescued user funds but severely damaged the decentralized narrative of Layer 2.

The Kelp theft incident has put two of the most popular narratives on trial: Are cross-chain bridges infrastructure or risk amplifiers? Are Layer2 solutions a reliable expansion of Ethereum, or just decentralized-looking secondary banks?

LayerZero was compromised due to its single validation node mechanism, and Arbitrum used a centralized special voting mechanism to recover losses for LayerZero and Kelp DAO. This forms an extremely ironic闭环: a protocol that touts decentralization collapsed due to its “single point of failure,” and ultimately had to rely on another protocol’s “centralized privileges” to resolve the situation.

It forces the entire industry to confront a question that has never been directly answered: When the ideal of decentralization clashes with the real-world cost of security, which side are we willing to sacrifice?

The discussion of grand narratives is a focal point of public opinion, while user compensation plans are another practical focal point. Even though Arbitrum has recovered over $70 million through technical means, Aave still faces nearly $200 million in bad debt—how can users’ interests be properly protected and safeguarded?

In the vast majority of hacking incidents, losses in the millions of dollars are catastrophic for protocols, and user reimbursement efforts typically end in failure. However, this incident involves top-tier projects such as Aave and LayerZero, making their bad debt resolution plans highly anticipated.

Aave has proposed two potential approaches for handling the bad debt today: the first is to socialize the losses among all rsETH holders (chain-wide burden sharing), with Kelp DAO implementing a uniform value write-down for all rsETH (mainnet + L2) of approximately 15% depeg; the second is to have only L2 rsETH holders bear the full losses, while mainnet rsETH retains its original value.

However, Kelp DAO and the official LayerZero team have not discussed their roles in the compensation plan. From LayerZero’s attempt in the report to distance itself from responsibility, it is clear that the project believes no responsibility means no obligation to provide compensation.

However, a protocol with a multi-billion-dollar valuation, relied upon as foundational infrastructure by hundreds of projects, choosing to “technically disclaim responsibility” for massive losses caused by DVN’s default configuration is itself a profound irony regarding the very definition of “infrastructure.”

This is a classic prisoner’s dilemma, where all parties in crisis are trying to minimize their own losses through “利益切割” rather than sharing responsibility to repair the industry’s trust deficit.

From the negative impact of this incident on all parties in the industry, for the DeFi space, this will be the most dangerous prisoner’s dilemma ever.

Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.