GoKawiilState-sponsored North Korean hackers are likely behind the $290 million crypto-heist that impacted the KelpDAO DeFi project on Saturday.
The attack reportedly also impacted the lending protocols Compound, Euler, and Aave, with the latter announcing a freeze and blocking new deposits or borrowing using rsETH as collateral.
KelpDAO is a decentralized finance (DeFi) project built around liquid restaking on the Ethereum network. It accepts user ETH deposits, restakes them, and returns a liquid token named ‘rsETH,’ that represents the restaked position.
The rsETH token is meant to help users keep earning restaking yield, while it stays usable across DeFi, including cross-chain via LayerZero, an inter-blockchain communication protocol and interoperability layer.
On April 18, KelpDAO announced that it detected “suspicious cross-chain activity” involving rsETH, forcing it to pause rsETH contracts across the Ethereum mainnet and L2s.
The project launched an investigation with the help of LayerZero, Unichain, and other partners.
Blockchain activity showed that around 116,500 rsETH were stolen, around $293 million in USD value, and went through Tornado Cash to hide the trace.
According to additional details that LayerZero shared today, the attack targeted the verification layer (DVN) used to validate cross-chain messages for rsETH.
Specifically, the attackers compromised some RPC nodes used by the verifier, feeding it falsified blockchain data, while simultaneously DDoS-ing healthy RPC nodes to force the system to rely on the “poisoned” ones.
This allowed a fake cross-chain message to be accepted as valid. The system confirmed transactions that never actually occurred on-chain and enabled moving the rsETH without authorization.
... continue reading