LayerZero Blames Kelp Configuration for $290 Million Exploit; Aave Faces Liquidity Strain

LayerZero has identified a critical configuration error in Kelp DAO's decentralized verifier network (DVN) as the catalyst for a $290 million exploit. The attack, which preliminary evidence links to North Korean threat actors, saw the drainage of approximately 116,500 Restaked ETH (rsETH) from the protocol's bridge on Saturday. According to LayerZero, the exploit was made possible by a single point of failure. Kelp reportedly relied on a single verification path for cross-chain messages, ignoring previous recommendations from LayerZero to adopt a multi-DVN setup for enhanced security. LayerZero has since urged all applications using single-verifier designs to migrate to multi-DVN configurations or face a cessation of message attestation. The fallout extended rapidly to Aave, where the attacker utilized the stolen rsETH as collateral to borrow liquidity. This maneuver left Aave with roughly $195 million in bad debt and contributed to a sharp decline in the protocol's Total Value Locked (TVL), which fell by approximately $8.9 billion to $17.5 billion. Industry analysts warn that the resulting illiquidity of ETH on Aave poses a systemic risk. Specifically, a potential 15-20% drop in the ETH/USD price could prevent necessary liquidations, further compounding the bad debt crisis. Aave has responded by immediately freezing all rsETH in its v3 and v4 versions to mitigate further damage. With no formal recovery plan announced, a debate persists among stakeholders regarding whether Kelp DAO, LayerZero, or the rsETH holders should bear the financial burden of the loss. Some observers suggest negotiating a bounty with the hackers or utilizing LayerZero's ecosystem fund to cover the shortfall.