Root cause now fully on-chain. The rsETH OFT Adapter on mainnet trusted a LayerZero message from EID 30320, peer 0xc3eACf06…09f58, and released 116,500 rsETH ($293.5M) from escrow in a single lzReceive call. LayerZero Scan labels that source peer “Kelp DAO.” Meaning it was Kelp’s own legitimately-deployed peer contract, with 308 prior message nonces on that pathway. This is not setPeer injection. This is key compromise on the source chain. IMPORTANT: Not a LayerZero protocol bug. An OApp peer-trust bug. Full forensics, attacker cluster, and Aave bad debt flow in the thread below.
Share
Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information.
Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.