The Kelp DAO exploit: What exactly went wrong? This past Saturday, Kelp, a liquid restaking protocol built on ETH, was the target of a $292 million drain. The event sent shockwaves through DeFi ecosystems, with ripple effects felt across other platforms. How did the hackers, who are considered to be North Korea's Lazarus Group, manage to pull off this heist? What was the cause? The root cause was Kelp's bridge, which relied on LayerZero's EndpointV2 as its cross-chain messaging system. The hackers compromised two nodes within LayerZero's Decentralized Verification Network (DVN), then used those to forge a cross-chain message and call the lzReceive function on Kelp's bridge making it appear that rsETH had been burned on the source chain. This enabled the hackers to "trick" Kelp's bridge into thinking a deposit transaction arrived from another network. The bridge then released 116,500 rsETH directly to the hacker's address, with no collateral behind it. Why were they able to do this? The answer lies in the poor configuration of the LayerZero DVN setup. Despite warnings from LayerZero themselves, Kelp ran a 1-of-1 DVN setup. No backup DVNs were enabled. Not securing the infrastructure of their bridge led to this disastrous exploit because that single DVN would blindly trust any signed message. The Aftermath Wrapped rsETH depegged across 20+ chains and Kelp paused rsETH contracts on mainnet as well as across multiple L2s. Multiple lending protocols, including Aave, SparkLend, and Fluid, froze all rsETH markets to prevent further borrowing. According to Ask Messari, downstream asset losses are as follows: Aave bad debt➡️$123.7M–$230.1M in unrecoverable losses Aave TVL drop➡️ ~$45.8B → ~$35.7B (roughly $10B loss on that protocol alone) Broader DeFi TVL➡️ Down $13B+ within 48 hours AAVE token➡️ Fell ~25%, dropping below $100 to a low of $87 WETH markets➡️ Hit 100% utilization, triggering $6.2B in lender outflows Since then, the following recovery actions have been taken: 🟢Arbitrum Security Council froze ~30,766 ETH (~$71M) linked to the exploit 🟢Kelp DAO suspended all rsETH contracts across mainnet + L2s 🟢LayerZero banned 1/1 DVN configurations going forward 🟢Kelp is weighing a 16% proportional loss socialization across all rsETH holders What to take away from this Code and configuration are incredibly important. Disregarding a proper setup can have disastrous effects on your community and the platform itself. All DeFi projects should view exploits as learning opportunities and take the time to review their code base to ensure they’re well-protected. The slightest error could very well cause irreversible damage. Practice due diligence and put safeguards in place.(Messari)