46 minutes, stolen $292 million, DeFi rediscovers development
Author: ChainCatcher
In the early hours of April 18, just two weeks after the theft of Drift over $200 million, Kelp DAO, under the flag of Kernel, has again updated the record of the theft of the encryption industry this year: 116,000 rsETHs multiplied, worth approximately $292 million。
It is known that Kelp DAO is a triple pledge agreement based on EigenLayer. rsETH is a liquid pledge token (LRT) issued by Kelp DAO and is intended to provide liquidity for non-liquid assets deposited on re-committing platforms (e.g. EigenLayer)。
The core team of the agreement is from India. In September 2024, the agreement was financed with $9 million, with the participation of a large number of prominent investors, including Laser Digital, Banks Ventures and Hypersphere Ventures. The total value of the agreement is currently over $1.5 billion. In the same year, its parent company, Kernel, also received investments from Yzi Labs, which had close ties to the currency。
However, these once proud backgrounds and achievements were suddenly shattered in this tragic accident。
Deadly cross-chain forgery and “single” costs
According to the initial dismantling of the chain records, the attack was not a traditional re-attack or a flash loan, but a precision raid based on the forgery of cross-chain information。
The underlying reason for this is that the rsETH bridge adapter between the chains failed to perform a rigorous "source verification" of the information from the bottom cross-chain protocol. The hacker forged a legitimate asset release order, inducing Kelp's bridge contract to misjudge a reciprocal asset being locked in the chain of origin, thereby acquiescing in the execution of a hacker's directive, releasing $292 million worth of rsETH in the Etherman's network。
Some 46 minutes after the attack, the Kelp DAO team launched an emergency suspension mechanism. Although the operation succeeded in intercepting two subsequent withdrawal attempts totalling 40,000 rsETH (approximately $100 million), nearly 20 per cent of the rsETH circulation (116,000) has fallen into hacker pockets。
Subsequently, hackers deposited these rsETHs into Aave V3 as collateral for borrowing a large number of highly mobile WeTHs. Apparently, the hackers will not return the asset, and its collateral, the rsETH, has no real bottom asset because it was a false build-up, leaving Aave with a bad debt of approximately $177 million, which would presumably be borne by all Aaave depositors。
In this process, the biggest problem is in the bridge contract for Layerzerro. The LayerZero cross-chain contract used by Kelp DAO is 1/1 DVD configuration, the so-called "single" configuration, which can be confirmed by a single certifier through cross-chain messages, while the LayerZero official document is defaulted to recommend 2/2。
After the incident, the Layerzero token ZRO once fell by over 40 per cent, the Aave token AAVE peaked at 22 per cent, and the Kelp DAO related party Kernel token now fell by over 13 per cent. In addition, several projects, such as Solv, have been announced to stop the Layer Zero OFT bridge。
The systematic collapse of DeFi's Lego Structure
Prior to this incident, Aave had never had any security incident, which, although not due to its own contractual code, was still linked to the agreement ' s risk assessment of such LRT tokens and the quarantine settings. In January of this year, Spark Protocol had fallen off low-life assets such as rsETH and continued to tighten collateral and functionality, leaving the agreement unaffected by the current wave。
At present, Aave's total chain lock-up value has fallen from $26,390 million yesterday to $21,766 million, with a single withdrawal of $4.6 billion. At the same time, a large number of lending users turned to other lending agreements, ETH lending demand in the market surged, and Spark's ETH pool deposit rate increased rapidly from 1.7 per cent to 5 per cent。
In response to the incident, the founder of Curve, Michael Egorov, wrote that the incident was the risk posed by the "non-separated borrowing" model that is now widely used. The model has good expansive scope, but risks are higher and risk management is critical. One approach is a complete segregation model, as is the case in Curve Finance, and the other a hybrid model (complex but feasible). At present, however, the market does not fully understand the advantages of these programmes. The Hub and Spoke (centre-radiation) model of Aave v4 may be a step towards semi-separation and safer。
Currently, most mainstream lending agreements adopt a shared liquidity pool model and almost all loan assets share liquidity and risk, such as Aave, Compund, Spark, etc. Only a few loan agreements, such as Morpho, Kamino, and Euler, have adopted the isolation pool model. This is in essence a trade-off between efficiency and security in the use of funds。
And in the V4 version of Aave, which came online at the end of March this year, the Hub and Spoke concepts were introduced, respectively, and Hub (Centre / Liquidity Hub) is the central liquidity hub that holds all assets and global accounting. Spoke (radiation) is a user-direct interactive modular portal responsible for specific borrowing rules and risk control。
Each Spoke provides specific lending functions (supply, borrowing, repayment, withdrawal) and has separate risk parameters: different types of collateral, liquidation rules, interest rate models, E-Mode, Association Mode, RWA support, etc。
This means that Aave will be able to control the overall risk posed by a single asset by deciding, on a case-by-case basis, whether to establish a fully segregated pool of borrowing assets for different types of risk and nature。
In addition, a well-known DeFi player, Benmo, raised five points in response to the incident:
FIRST, THE SECURITY OF PACKAGED ASSETS, SUCH AS LRT, CANNOT BE COMPARED TO THE ORIGINAL ASSETS, AND THE LENDING PLATFORM DOES NOT EMBROIL THE TWO EQUALLY AS COLLATERAL
Second, L0 loses part of the cross-chain market in the follow-up, and multiple assets, such as usde, usd0, are already stopping the L0 cross-chain, and perhaps even business recovery will make it difficult to restore credibility。
Thirdly, the collapse of the AAVE gold and the re-entry of the security of the large-scale lending market into the whale examination phase, with each additional mortgage asset increasing equally the risk of the original mortgage asset, a natural injustice to the original asset, and the trend towards V4 and modularization of the lending product, which is likely to accelerate. Borrowing operations are chosen instead of lending platforms or curator, but the cost of such operations is increasing。
Fourth, the tvl acquisition cost of L2 will be further increased, and now the tvl level will further flow back to L1.
Fifthly, Defi stopped extending the route and returned to a conservative security model, further preventing the scanning of Anthropic Mythos。
From Drift to Kelp DAO, the two major security incidents in a short period of time have shown that DeFi's “tied-up” financial structure, causing a systemic collapse at any one point, will suddenly evolve into an industry-wide liquidity squeeze. In the past, this view existed mainly in theory, and most of the impact of security incidents has remained on individual agreements, which is happening in a tragic way。
This is not only a trial of cross-chain agreements and lending agreements, but also a major blow to user confidence。
“No more Defi, only original ETH, no pledge or deposit, no interest. "Celebrated KOL laolu says。
"Get out of Defi first. It's too dangerous. This time, the fractured bones are bigger than Drift/Cowswap's..."and the famous DeFi investor Dovey Wang shares the same view。
