Kelp DAO Suffers Attack Loss of Approximately $292 million, Aave States rETH Market Has Been Frozen

BlockBeats News, April 19th, according to The Block, on-chain data shows that an attacker on Saturday stole 116,500 rsETH from the LayerZero-based cross-chain bridge of Kelp DAO, equivalent to approximately $292 million at the current market price. The attacker's controlled wallet called the lzReceive method on the LayerZero EndpointV2 contract, which triggered Kelp's bridge contract to release 116,500 rsETH to another attacker address. The attacker's wallet had obtained the funds through Tornado Cash about 10 hours ago.

Kelp DAO tweeted that they have identified suspicious cross-chain activities involving rsETH and have suspended the rsETH contract on the mainnet and multiple Layer 2 chains. They are conducting a root cause analysis in collaboration with LayerZero, Unichain, and security experts. Aave subsequently froze the rsETH markets on V3 and V4 and stated that they would explore compensation solutions for any resulting losses; the AAVE token price dropped by approximately 10% after the incident. This is the second security incident that Kelp has experienced in about a year. Last April, an excessive minting of rsETH occurred due to a fee contract bug, but at that time, no user funds were lost.