A notorious cybercrime group allegedly tied to North Korea, known as the Lazarus Group, is under scrutiny for a massive cryptocurrency theft from the decentralized finance protocol, Kelp DAO. The incident, which targeted a substantial sum of $290 million in digital assets, unfolded with alarming precision.
Details of the Heist
The breach took place on a Sunday evening, at precisely 17:35 UTC, when the attackers managed to execute a malicious command. This action resulted in the unauthorized extraction of 116,500 restaked Ether (rsETH), equivalent to approximately $292 million. In response, Kelp DAO swiftly paused pertinent contracts and blacklisted the attackers’ wallets. This proactive measure successfully thwarted a subsequent attempt to seize an additional 40,000 rsETH, valued at around $95 million.
Kelp DAO operates as a liquid restaking protocol, where user-deposited Ether is funneled through the EigenLayer restaking system to generate extra rewards, whereby rsETH is issued. The attackers exploited a vulnerability in the protocol’s ‘1-of-1 verifier configuration’ to disrupt the verification process, leading to the unauthorized fund transfer.
Technical Vulnerabilities Exploited
The attackers focused on LayerZero, a cross-chain messaging infrastructure essential for transmitting verified blockchain instructions. LayerZero’s Decentralized Verifier Network (DVN) depends on multiple Remote Procedure Calls (RPCs) to verify cross-chain commands’ integrity. The cybercriminals successfully compromised two of these RPCs, paving the way for an RPC-spoofing attack.
This attack capitalized on a custom payload designed to craft a forged message to the DVN with minimal alerts. Subsequently, the attackers launched a Distributed Denial-of-Service (DDoS) attack on the remaining RPCs, causing a failover to the compromised nodes and allowing their fraudulent commands to be accepted.
Responses and Implications
LayerZero attributes this sophisticated attack to a subgroup named TraderTraitor, part of the infamous Lazarus Group, notorious for multiple cryptocurrency heists in recent years. According to LayerZero, the incident could have been avoided if Kelp DAO had adopted a multi-DVN setup, which is a recommended industry standard.
In a statement, LayerZero noted that they had previously advised Kelp DAO on diversifying their DVN configuration. Kelp DAO, however, points fingers at LayerZero, arguing that their systems were not managing the targeted infrastructure and that the single-DVN setup was documented by LayerZero as appropriate.
In the aftermath, Kelp DAO has prioritized measures to prevent further contagion across the DeFi ecosystem. Partners like the Arbitrum Security Council promptly froze assets linked to the heist. Nevertheless, the ramifications are extensive, with decentralized liquidity protocol Aave experiencing a significant decrease in total value by nearly $8 billion.
Binance reported that the stolen funds were deposited into Aave v3 as collateral, leading to the borrowing of wrapped Ether and creating a $195 million debt on Aave. The rush of users withdrawing assets led to full utilization of Aave v3 lending pools, immobilizing over $5.1 billion in stablecoins.
As the crypto community grapples with the fallout, this incident underscores the critical need for robust security measures and cross-chain communication protocols to safeguard digital assets.
