The DeFi sector is reeling from the effects of a suspected North Korea-linked hack which has spread to multiple protocols and saw DeFi poster child Aave’s TVL drop by a third.
Saturday’s incident saw $290 million worth of Kelp DAO’s liquid staking token, rsETH, stolen via the Layer Zero bridge.
The loot was deposited into Aave and used to borrow $236 million of WETH. But with liquidity drained, and markets frozen, users began to panic, withdrawing collateral where they could and borrowing whatever they could get their hands on.
In all, since Saturday, almost $9 billion has left Aave, with the protocol potentially facing hundreds of millions of dollars of bad debt.
The question of who will foot the bill is still very much to be decided.
The hack
The hack, which Layer Zero suspects was carried out by the Lazarus Group of North Korean state sponsored hackers, exploited rsETH issuer KelpDAO’s “single-DVN setup” for bridging their token.
Layer Zero bridges tokens between blockchains, and uses decentralized verifier networks (DVNs) to validate transactions. The model puts the onus on asset issuers to “define their own security posture,” including DVN thresholds.
In Kelp DAO’s case, they used a 1-of-1 setup relying on Layer Zero’s DVN.
Aside from an initial acknowledgement posted to X, there’s been no further communication from Kelp DAO itself.
Read more: Inside the $280M Drift hack: weeks of setup, minutes to drain
Layer Zero claims its DVN was compromised through a “highly sophisticated… RPC-spoofing attack.” RPCs are nodes which allow external apps to read blockchain data.
The attack presented malicious info only to the targeted DVN, skirting monitoring efforts. In addition, it performed a DDoS attack on uncompromised RPCs to trigger fallback to the “poisoned” ones.
However, pseudonymous veteran DeFi developer banteg pushed back on Layer Zero’s characterization as an RPC poisoning attack, which suggests purely outside interference. With attackers pulling off an “infra breach within the perimeter… the real story is a targeted implant operating inside the trust boundary.”
They disapprove of “such elaborate distancing,” warning “given it doesn’t say how the breach has occurred, I wouldn’t rush re-enabling the bridges.”
Read more: Hyperbridge exploited less than two weeks after April Fools’ day hack prank
The fallout
Aside from the hack itself, the real damage has spread across DeFi, especially on the sector’s flagship lending protocol, Aave.
Rather than selling such a large quantity of rsETH, crashing its price, the attacker chose to borrow against it. Depositing stolen rsETH as collateral into Aave and other lending platforms, they then borrowed $236 million worth of WETH, according to blockchain audit firm Peckshield’s tally.
Read more: KuCoin criticized for helping ‘launder’ $9.5M from fake Ledger app
Aave’s rsETH markets were paused shortly after users were warned to “withdraw now, ask questions later.” In the hours that followed, over $6 billion left the protocol.
The lack of WETH liquidity has also left several stablecoin markets at full utilization. Spark’s MonetSupply explained that unwinding positions and liquidation of unhealthy positions was stalled, with recent changes to Aave’s borrowing rates “significantly increasing the risk of cascading market failure.”
The liquidity crunch spread to other platforms, vaults, and even unrelated ecosystems, such as Solana.
Read more: Tether challenges USDC Solana hegemony with $127.5M Drift bailout
Taking stock
With rsETH estimated to be facing an 18% shortfall in backing, Aave may be facing over $250 million of bad debt. DeFiLlama developer 0xngmi put the worst case at $341 million and best case at $76 million.
The platform’s backstop fund, Umbrella, contains $55 million of ETH, and former contributor ACI has pledged funds from its staking program.
Additionally, Umbrella’s predecessor contains over $280 million, however it’s uncertain whether this, or any DAO treasury funds would be made available to fill the hole.
ACI’s Marc Zeller, estimates a 5-8% haircut for Aave WETH depositors, once the dust settles.
To put the damage caused into perspective, in all, the exploiter’s main address currently holds a total of $245 million worth of ETH, $174 million on Ethereum and $71 million on Arbitrum.
Meanwhile, the value of the wider DeFi market has dropped by $14 billion since Saturday.
Read more: Crypto hack goes political as Grinex blames ‘Western special services’
The path ahead
How the rest of this episode unfolds will depend in large part on how Kelp DAO decides to distribute losses.
CoinDesk reports that Kelp DAO plans to blame “Layer Zero’s documentation, default configurations and team guidance when setting up the bridge.”
Aave has hinted at non-bridged rsETH tokens being fully backed, though this may just be its own preference for now. The alternative, however, isn’t pretty either, and would see WETH depositors on other networks bearing the full burden of the unbacked rsETH.
The fact that this is still unknown belies an embarrassing truth about the immaturity of DeFi. Despite recent reminders in the form of Stream Finance’s November collapse and last month’s hack of Resolv’s RSD, seniority in the event of a shortfall still appears to be an afterthought for many DeFi projects.
Layer Zero’s statement says that, for its part, it will urge any teams using 1/1 DVN configurations to switch to “multi-DVN setups with redundancy.”
It will also not act as the sole DVN for any projects who remain on a 1/1 setup.
Read more: Resolv hack shows DeFi learned nothing from last contagion
Nobody comes out of this looking good.
From the initial alert coming an hour after the hack, to the long-standing concerns around Layer Zero’s default 1/1 validation threshold, to Kelp DAO’s decision to keep it, to Aave’s risk assessment of rsETH.
Many have taken the opportunity to call for rate limits on key pathways such as bridge outflows or collateral supply.
This hack comes during an awful month in a pretty bad year-to-date for the DeFi sector, which has seen its TVL drop by half since the October 10 crash.
On that note, readers should keep their eyes peeled for Protos’ upcoming DeFi hack tracker.
Protos has reached out to Aave, Layer Zero, and Kelp DAO, but hadn’t received a reply by time of publication. This article will be updated in the event we receive a response.
Got a tip? Send us an email securely via Protos Leaks. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.
Source: https://protos.com/defi-sector-in-14b-meltdown-as-290m-rseth-hack-fallout-burns-aave/