An attacker has siphoned over $290 million from the Kelp DAO ecosystem across the Ethereum and Arbitrum networks.
Lending protocols had to urgently enact emergency protective measures in order to be able to contain the financial contagion as a result of the breach, which centered on the rsETH cross-chain bridge.
The price of the Aave (AAVE) token has plunged by roughly 18% as a result of the devastating exploit.
The root cause
According to on-chain forensics provided by security analytics firm D2 Finance, the vulnerability was not a flaw within the underlying LayerZero infrastructure.
Instead, the exploit has been identified as an "OApp peer-trust bug," which stems from a severe key compromise on the source chain.
The attacker managed to compromise a legitimately deployed Kelp DAO peer contract.
The attacker’s initial addresses were funded via the cryptocurrency mixer Tornado Cash to obscure their tracks prior to the breach.
Leveraging stolen funds
After securing the massive trove of rsETH, the exploiter did not immediately attempt to cash out.
Instead, they moved to leverage the stolen assets across major DeFi lending markets.
Blockchain security firm PeckShield revealed that the attacker aggressively deposited the stolen rsETH as collateral to borrow Wrapped Ethereum (WETH).
The exploiter's consolidated holdings currently exceed 106,400 ETH, valued at nearly $250 million.
Emergency response
Aave officially announced the freezing of all rsETH markets across its V3 and V4 deployments, stripping the asset of all borrowing power. Aave founder Stani Kulechov was quick to reassure users that Aave's core smart contracts remain secure and were not exploited.
Dan Burgin
U.Today Editorial Team
