Ripple CTO David Schwartz has expressed concerns about the integration of DeFi bridge infrastructure to support RLUSD. In XRP news today, he cited major security risks in DeFi protocols that could mirror the fate of the recent KelpDAO exploit.
XRP News: Ripple CTO Flags Security Risks in DeFi Bridges
On X, Schwartz revealed that he has evaluated several DeFi bridging systems for use by Ripple’s RLUSD stablecoin. He noted that he was “exclusively focused on the security and risk aspect.”
His assessment on various onchain DeFi bridges shows that these protocols mostly had a strong foundation for security. They could avoid the type of KelpDAO faced. However, he pointed out a common problem with the deployments of these systems.
“They generally in effect recommended not bothering to use the most important security mechanisms because they have convenience and operational complexity costs,” the Ripple CTO wrote. He noted that ease of cross-chain expansion was frequently given priority sometimes at the cost of proper protection measures.
Moreover, Schwartz likened the pattern to that of the latest $292 million KelpDAO hack, per XRP news update. “I have a funny feeling part of the problem is going to be something like KelpDAO choosing not to use key LayerZero security features out of convenience,” Schwartz wrote.
Previously, XRPL validator Vet also flagged concerns on Solana’s wXRP. He noted that wXRP on Solana faces risks similar to the KelpDAO incident as issued tokens often bear counterparty risks.
Currently, XRPL validators are gearing up to vote on key lending protocol amendments. However, Flare Network founder Hugo Philion believes that it’s not much of use to XRP users as it doesn’t offer the opportunity to collateralize Ripple’s native token.
About $292M KelpDAO Attack
The recent crypto hack involved rsETH, a liquid restaking token connected to KelpDAO. On-chain records indicate that around 116,500 rsETH was eventually emptied. At the time, the KelpDAO attack losses were estimated to be around $292 million.
The exploiter then collateralized these tokens on Aave V3 to borrow large amounts of ETH and WETH. Blockchain tracking crypto tools show the funds were subsequently laundered through Tornado Cash to hide the trails of transactions.
The exploit seems to be a cross-chain messaging infrastructure connected to LayerZero. At 17:35 UTC, a wallet owned by an attacker made a call to the lzReceive function on the EndpointV2 contract. This move caused the release of the 116,500 rsETH to a different address held by the attacker.
After LayerZero released a report on the incident, Ripple CTO Schwartz made a change to his statement on the KelpDAO exploit. He said, “The attack was way more sophisticated than I expected and aimed at LayerZero infrastructure taking advantage of KelpDAO laziness.”