Key Takeaways
- The $292 million rsETH hack by KelpDAO has revealed significant flaws in cross-chain security. The protocol accused LayerZero’s off-chain infrastructure, although it denied any wrongdoing and claimed to have adhered to the network’s default settings.
- Independent researchers verified that the assault did not target smart contracts but rather weak verification layers. In response, KelpDAO is switching from rsETH to the CCT standard and transitioning to Chainlink CCIP in order to increase security and lessen dependency on single validators.
- The event brings to light vulnerabilities in off-chain systems, such as inadequate data validation and exposed RPC endpoints.
- Developers and investors are selecting more robust, decentralized validation methods and reconsidering their faith in cross-chain infrastructure as DeFi expands.
One choice, no voice, did KelpDAO pay the $292M price? According to Kelp DAO, LayerZero staff authorized the 1-of-1 verifier configuration, which LayerZero has since claimed was the cause of an attacker with ties to North Korea stealing about $292 million from Kelp’s rsETH bridge.
The assertion contradicts LayerZero’s postmortem from April 19, which said that the arrangement “directly contradicts” LayerZero’s suggested multi-DVN approach and that Kelp’s rsETH application relied on LayerZero Labs as its only verifier.
KelpDAO stated that it moved to enhance security following the intrusion. Soon after identifying the problem, it stopped the rsETH contracts and started a thorough investigation. In order to limit losses and track down the money, the team also collaborated with partners, exchanges, and authorities.
Default Or Flaw? KelpDAO Says 1-1 DVN Model Was Widely Used Across Network
Additionally, KelpDAO declared that it would switch rsETH from the LayerZero OFT standard to Chainlink’s Cross-Chain Token (CCT) standard and move its cross-chain operations to use the Chainlink CCIP protocol.
By utilizing battle-hardened infrastructure that has enabled over $30 trillion in value over seven years without any loss and remained fully operational during numerous global outages, the migration aims to reduce reliance on any one party’s verification process and increase the system’s overall robustness.
KelpDAO refuted allegations that the breach was caused by its setup, claiming it conformed to LayerZero’s default settings. The team observed that the network as a whole made extensive use of the 1-1 DVN model.
According to data, comparable arrangements were used by over half of LayerZero applications. Furthermore, in recent months, the majority of transactions have only needed one or two validators.
Conclusion
Beyond the chain, who takes the blame when off-chain cracks fuel the game?
KelpDAO’s stance was also supported by independent researchers. They said that smart contracts were not specifically targeted by the hack. Rather, it concentrated on the off-chain architecture of LayerZero.
According to one account, “the off-chain infrastructure that LayerZero Labs operated was the target of the attack.” Another connected coordinated perpetrators are taking advantage of inadequate verification layers for the occurrence.
Researchers identified more general issues with the system’s architecture. They emphasized limited cross-checking between data providers and exposed RPC endpoints. Attackers could therefore falsify transaction approvals and alter inputs. The event, according to critics, highlights greater dangers in the cross-chain security methods in use today.
In the DeFi industry, the incident has also sparked broader worries. Developers and investors are reevaluating the level of confidence that cross-chain infrastructure should have as a result. As the industry grows, the result may have an impact on how future protocols handle security.
You need to login in order to Like
Leave a comment