As crypto continues to grapple with the latest DeFi exploit, the space is reckoning with an existential question: Is any DeFi application truly safe?
Over the weekend, crypto’s premier lending marketplaces were hit by this year’s largest DeFi exploit, involving a sophisticated attacker who compromised Kelp DAO’s LayerZero-powered bridge to illicitly mint 116.5k rsETH.
The newly minted (and unbacked) tokens worth approximately $290M were then deposited into Aave and other leading lending protocols, where they were used as collateral to borrow hundreds of millions of dollars in ETH, producing bad debt and triggering an industry-wide liquidity crisis.
The attack unfolded rapidly in two phases, successfully exploiting weaknesses in Kelp DAO’s LayerZero-powered bridge before draining hundreds of millions of dollars from Aave via unbacked rsETH loans.
Critically, Kelp DAO configured its integration with the weakest possible security model, a 1-of-1 Decentralized Verifier Network (DVN) setup. This granted a single validator node, operated by LayerZero Labs, full authority to approve cross-chain messages.
While LayerZero’s incident post-mortem claims it cautioned against minimal security setups and recommended multi-verifier configurations for high-value bridges, its protocol still permits 1-of-1 deployments.
Further, an estimated 47% of protocols on LayerZero use the same configuration.
The attacker exploited this single point of failure, spoofing a valid cross-chain message to trick the LayerZero-operated bridge into minting 116.5k unbacked rsETH directly to attacker-controlled addresses.
While Kelp DAO’s multisig froze core contracts shortly afterward, it was already too late to reverse the damage that would follow…
Armed with their misappropriated tokens, the attacker then immediately deposited their rsETH to Aave V3 (and to a lesser extent, other platforms like SparkLend and Fluid).
This fictitious collateral position then allowed the exploiter to borrow large amounts of WETH against their unbacked tokens, producing an estimated $262M+ of bad debt for Aave lenders in the transactions' wake.
Instead of waiting for this bad debt to accrue against their positions, savvy DeFi lenders made a fear-motivated rush for the exits over the weekend, draining over $7B in assets from leading protocols in the exploit’s aftermath, including $6.2B from Aave, or roughly 23% of the lending market's total value locked.