Over the weekend, KelpDAO got exploited for $290M in rsETH. KelpDAO uses LayerZero as their cross-chain bridge, and the LZ team wrote a post-mortem that blamed KelpDAO, and KelpDAO only, for the incident. Here's how the hack went down. Basically, the attacker compromised a subset of RPCs used by a single DVN (Decentralized Verifier Network) integrated by KelpDAO, DDoS’d the honest endpoints, then used the poisoned ones to forge a cross-chain message. Yes, KelpDAO should not have used a single DVN to secure their bridge instance. That was dumb. But do you know who runs that single DVN - the one where the RPCs were compromised? LayerZero Labs - the developers of the bridge. Clearly KelpDAO isn't the only one to blame here. My questions: 1) How did attackers get access to LayerZero Labs' RPC infra? 2) Why are single DVNs even allowed? 3) How should we think about minimum standards for cross-chain security today: number of DVNs, diversity of infra providers, or some explicit “no single point of failure” benchmark? Tough time for DeFi right now. Here is the brutal post-mortem: https://t.co/P647A4QdpQ
Share
Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information.
Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.