Ripple Veteran Slams DeFi Bridge Security

David Schwartz, Ripple’s CTO Emeritus, has a rather chilling warning for the decentralized finance (DeFi) bridging sector after a catastrophic $290 million exploit drained the Kelp DAO ecosystem. 

The cryptocurrency veteran has assessed cross-chain systems for Ripple’s upcoming RLUSD stablecoin, concluding that the industry suffers from a dangerous culture of prioritizing convenience and rapid scaling over robust security features.

Ignoring security issues 

Schwartz has found that most bridging systems were actually well-designed to prevent the exact type of attack that struck Kelp DAO. 

However, as the Ripple vet noted, bridge providers frequently recommended bypassing their own strongest security mechanisms due to the “operational complexity costs” involved. 

You Might Also Like

“Their sales pitch was that they have the best security features, but they’re easy to use and scale, assuming you don’t use the security features,” Schwartz stated. 

The push for simplicity and speed in adding new blockchain networks came with the expectation that operators would simply ignore robust security protocols.

The $290 million wake-up call 

Over the weekend, an attacker managed to siphon approximately 116,500 rsETH (roughly $290 million) from the Kelp DAO ecosystem across the Ethereum and Arbitrum networks.

As reported by U.Today, the hack was due to a bug caused by a severe private key compromise on the source chain. The attacker hijacked a legitimately deployed Kelp DAO peer contract, which made it possible for them to initiate a massive withdrawal in a matter of minutes. The exploiter’s initial wallets were funded via the cryptocurrency mixing service Tornado Cash.

Schwartz has argued that this multi-million dollar disaster was highly preventable. “I have a funny feeling part of the problem is going to be something like KelpDAO choosing not to use key LayerZero security features out of convenience,” he noted.