Original | Odaily Star Daily (@OdailyChina）

Author | Azuma (@azuma_eth）

It has been over 30 hours since the rsETH bridging contract of Kelp DAO was exploited. The involved parties (LayerZero, Kelp DAO, Aave) have made some statements (mainly "passing the buck," emphasizing their own innocence), but no final solution has been offered yet.

Therefore, this article wants to discuss the current positions and attitudes of the involved parties, explore the reasons for the delay in finalizing a solution, and attempt to speculate on how the situation might ultimately be resolved.

Odaily note: For background, see “DeFi is stolen again for $292 million, is even Aave unsafe now?”.

Who should be held responsible?

First, let’s discuss the issue of accountability.

According to LayerZero's disclosure of details, the direct cause of the incident is quite clear, namely, the downstream RPC infrastructure relied upon by the decentralized validator network (DVN) operated by LayerZero was compromised (see the analysis by SlowMist founder Yu Xian in the image below), and since Kelp DAO's bridging contract utilized a 1/1 DVN, the attacker only needed to complete one forged message verification to carry out the attack.

LayerZero believes that Kelp DAO, which employed a 1/1 DVN configuration, is the most directly responsible party for this incident. There is not much to say about this; such an obvious “single point of failure” is truly absurd.

However, as the underlying cross-chain protocol, LayerZero should also bear some responsibility. LayerZero allows each upper layer application to configure the number and threshold of DVNs themselves, and although the 1/1 DVN was a choice made by Kelp DAO, as the designer of the underlying framework, it should have also avoided a setup that has evident flaws.

Finally, there is Aave and other lending protocols (with a focus on Aave). Although they are also indirect victims, it can be said that Aave, for the sake of expansion, has granted excessive lending permissions to assets such as rsETH and other LRT assets, which is also a direct reason for their current passive situation. Additionally, it is worth mentioning that Aave's former risk control team, BGD Labs (which has now parted ways with Aave), pointed out the issue of Kelp DAO's DVN last January, which Kelp acknowledged but seemingly did not modify... Aave's failure to continue oversight and take corresponding measures is also a case of self-inflicted harm.

Thus, accountability is very clear: Kelp DAO bears primary responsibility, LayerZero bears secondary responsibility, and Aave has some indirect responsibility.

The awkward reality

The reality is always more complex than theoretical expectations. The key issue is that Kelp DAO, which should bear the main responsibility, cannot come up with enough money to plug the hole... Whether decreasing losses directly from all rsETH or backstabbing Layer2 token holders, both are ultimately dead ends.

So who has the money? The first is LayerZero, which is facing a reputation crisis due to this incident and has already been temporarily banned by several institutions and protocols including Bitgo, Tron, Ethena, Curve, and ether.fi, possibly losing a large share of cross-chain business; the second is Aave, which is facing huge potential bad debts and is watching over a billion dollars in TVL evaporate.

So the “ghosts” of each party are now quite clear. The party primarily responsible, Kelp DAO, is essentially paralyzed and unable to lead the subsequent compensation discussions; they need to negotiate with the two big brothers. Meanwhile, both LayerZero and Aave, which have the capacity to provide compensation, have stated that their protocols do not have vulnerabilities, making it clear that they do not intend to easily take on such a significant burden... so the situation now seems a bit stuck.

However, I do not believe this situation will last too long, as both major protocols have a strong need to resolve the issue quickly—LayerZero cannot abandon its OFT cross-chain ecosystem; Aave also cannot ignore the ongoing outflow of its available funds.

The key to the game among parties

This morning, Aave released an updated statement regarding this incident, with the most important point in the statement being that—Aave emphasized “the rsETH on the Ethereum mainnet is well supported.”

How should this statement be understood? It needs to start from the design of rsETH.

rsETH is essentially a liquidity re-staking certificate token issued by Kelp DAO, each rsETH is backed by 1 ETH that is in the staking and re-staking system, with the path being “ETH - Lido - EigenLayer - Kelp DAO - rsETH.”

The rsETH on the mainnet is the original certificate token issued by Kelp DAO on Ethereum. Later, to expand within the Layer2 ecosystem, Kelp DAO will use LayerZero's cross-chain bridging contract (which is the item that failed this time) to map the mainnet rsETH to various Layer2. For every rsETH issued on Layer2, the corresponding rsETH on the mainnet will be deposited in the custody contract of Kelp DAO and will only be released when the Layer2 rsETH crosses back to the mainnet.

Now, back to the incident itself. The cause of the theft mentioned earlier is that the hacker forged cross-chain messages by deceiving the DVN, resulting in the bridging contract “erroneously releasing” 116,500 rsETH—note that this did not involve creating new coins out of thin air but rather retrieving original certificate tokens that should not have been released from the mainnet.

The problem lies here, this portion of tokens had already been circulating on Layer2 via mapping, and the tokens on the mainnet were in a locked state, but after the hacker succeeded, they deposited them into lending protocols like Aave and borrowed more liquid WETH, thus completing their escape—again emphasizing that the rsETH deposited by the hacker is real, which is why Aave would support collateral lending with this token.

Now looking back at Aave's statement is quite interesting. “The rsETH on the Ethereum mainnet is well supported” essentially means: “These coins are all real, Kelp DAO, you should support us to redeem these coins for the underlying ETH (the contract is paused, redemption is not possible now)... As for the Layer2 mapped version of rsETH that lost backing from the mainnet rsETH, I can’t do anything about that!”

This seems to be Aave's position. While emphasizing the value of mainnet rsETH implies ignoring the value of the Layer2 mapped version of rsETH, and given that Aave itself has certain debt positions in rsETH in the lending products on Layer2 (currently about $359 million in real-time scale), this will also lead to some bad debts. However, weighing the two harmful impacts, Aave likely assessed the potential consequences of the two options and determined that preserving the core product on the mainnet better aligns with its best interests.

However, this is just Aave's statement; how the incident will ultimately be resolved still depends on whether an agreement can be reached with LayerZero and Kelp DAO.

Although the latter has not yet made a further statement, I personally believe LayerZero will find it difficult to accept this proposal, as abandoning Layer2 mapped tokens would directly threaten the cross-chain reputation of LayerZero.

Potential solutions

Ultimately, the problem must be solved. In the past couple of days, various big names on social media have been offering suggestions to Aave, LayerZero, and Kelp DAO.

DefiLlama founder 0xngmi simulated three possible paths, but also indicated that all three paths have clear flaws. The first path is for all rsETH holders to collectively bear an 18.5% value reduction (the ratio of lost tokens to issued tokens), Kelp DAO bears the blame, and Aave also has to assume about $216 million in bad debts on the mainnet; the second path is to ignore all Layer2 mapped rsETH's value, in which case Aave's mainnet products will be preserved, but the Layer2 landscape will likely collapse and Kelp DAO's reputation will vanish; the third path is to fully compensate the holders of rsETH before the hacker's attack based on a snapshot, while subsequent buyers or transferees will bear their own losses, but since funds have already flowed extensively after the attack, it is practically impossible to execute this.

OneKey founder Yishi stated: “The best outcome now is to negotiate with the hacker, offer a 10-15% bounty to get the bulk back, making everyone happy. If negotiations fail, the LayerZero ecosystem fund should shoulder the majority of the burden, as it is the wealthiest and has the most long-term interests to protect, paying out can still preserve the OFT ecosystem. Kelp DAO is the poorest; they either supplement with tokens and future income or simply sell the entire project to LayerZero or Bitmine. Aave's Umbrella and stkAAVE can cushion the last layer, but WETH depositors must absolutely not suffer a value reduction, otherwise, Morpho, Spark, Fluid, and Euler will all follow suit in repricing, and the entire LRT race will be blacklisted, causing a three-year regression for the entire DeFi industry.”

Regardless, all parties will definitely need to continue to hash out the details, as it involves real money on a scale of hundreds of millions, and no one wants to be the biggest fool.

As for how much time is needed to come up with a solution, it has been mentioned earlier that neither of the two giants dares to delay too long. LayerZero is currently being forcibly paused by major partner institutions and protocols, and if this drags on, these partners will definitely switch to another cross-chain path; Aave's situation is also not optimistic, with the utilization rates of multiple liquidity pools reaching 100%, depositors are in a "trapped" state... If ETH suddenly drops sharply, Aave is likely to face more bad debts due to ineffective liquidation (which is indeed currently the case), eventually causing the problems to snowball—if it comes to this, the foundations of the industry could be undermined, and clearly, no one would like to see such a situation.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。