Kelp's DVN Configuration Blamed by LayerZero for $290M Breach as Aave Faces Mounting Losses
According to LayerZero, Kelp's decentralized verifier network configuration enabled the $290 million security breach, while stakeholders debate which platform should bear responsibility for covering investor losses.
Cross-chain messaging protocol LayerZero has attributed a $290 million theft from Kelp DAO to insufficient security measures within Kelp's decentralized verifier network (DVN) configuration, with early indicators suggesting involvement by North Korean state-sponsored hackers.
The security breach on Saturday resulted in the drainage of approximately 116,500 Restaked ETH (rsETH), valued at between $292 million and $293 million during the incident, from Kelp DAO's rsETH bridge that operates on LayerZero's infrastructure.
In a statement released Monday, LayerZero attributed the vulnerability to a critical flaw in Kelp's architecture, which depended on just one LayerZero DVN as its sole verification mechanism, a configuration LayerZero had previously cautioned against implementing.
"LayerZero and other external parties previously communicated best practices around DVN diversification to KelpDAO. Despite these recommendations, KelpDAO chose to utilize a 1/1 DVN configuration."
In operational terms, this configuration meant that Kelp's system depended on just one verification pathway for messages transmitted across different blockchains, instead of implementing multiple independent verification mechanisms.
The security incident immediately redirected focus from understanding the technical vulnerability to determining which entity bears financial responsibility for the losses, with complications extending to Aave, where the malicious actor leveraged rsETH as loan collateral to extract legitimate assets.
The total value locked (TVL) on Aave has declined by approximately $8.9 billion, dropping to $17.5 billion as of this writing, following the attacker's use of compromised assets to secure loans on Aave, creating roughly $195 million in uncollateralized debt and prompting mass withdrawals from the lending platform.
According to LayerZero, Kelp's rsETH bridge infrastructure operated exclusively on the LayerZero Labs DVN, and maintained that the breach represents a failure in application-level security design rather than a fundamental vulnerability in LayerZero's core protocol. The organization announced it is now pushing all applications currently using 1/1 DVN configurations to transition to multi-DVN architectures and will discontinue signing or validating messages for applications maintaining single verifier implementations.
Losses spark blame fight after $290 million Kelp exploit
In the absence of any announced recovery strategy or compensation framework, market participants and users devoted Monday to discussing whether financial responsibility should fall on Kelp DAO, LayerZero, Aave, or individual rsETH token holders.
Yishi Wang, the founder and CEO of open-source hardware wallet manufacturer OneKey, argued that the optimal approach would be to enter negotiations with the attacker, present a bounty offer ranging from 10% to 15%, and recover the majority of stolen assets.
"If negotiations fail, LayerZero's ecosystem fund should foot the bulk of the bill—it's got the deepest pockets and the most long-term skin in the game," the founder stated in an X post published Monday, further noting that Kelp DAO is "broke" and might compensate through token distributions and future earnings, or potentially consider selling the entire project.
The pseudonymous founder of analytics platform DeFiLlama, known as 0xngmi, presented three potential remedies, including the possibility to "socialize" losses across all platform users, "rug rsETH holders on L2s," or attempt to restore holder balances to pre-exploit levels using a snapshot, which would be "very hard to do," according to a Monday X post.
Cointelegraph contacted Aave seeking commentary, but no response was received prior to publication.
Exploit raises Aave liquidation risks
Stakeholder anxiety regarding the Kelp security breach has substantially diminished Ether (ETH) availability on Aave, which represents the lending protocol's primary collateral type.
This depleted liquidity creates a "critical safety risk where liquidations of ETH collateral cannot take place while markets are at 100% utilization," according to MoneySupply, the pseudonymous strategy chief at Spark, a competing lending protocol to Aave, in an X post from Saturday.
"With current illiquidity conditions on Aave, a 15-20% ETHUSD price drop could cause significant bad debt accumulation (on top of any potential issues attributable to the direct rsETH exploit)," he stated.
Aave reported that it promptly froze all rsETH holdings in both Aave v3 and V4, limiting additional exposure. Aave's underlying smart contract infrastructure remained uncompromised.