So the Kelp DAO situation is genuinely one of the more clarifying moments crypto has had in a while and not in a good way.
The short version is that an attacker tricked a bridge into thinking a legitimate cross-chain instruction had arrived, drained 116,500 rsETH, immediately deposited it into Aave as collateral, borrowed $196 million in real ETH against it, and walked away while Aave’s liquidity pool hit 100% utilization meaning people who had deposited actual ETH couldn’t withdraw it.
Total DeFi TVL dropped $13 billion in two days. LayerZero and Kelp are now in a public fight about whose fault it was, which is a completely normal thing for the two parties involved in a $292 million state-sponsored heist to be doing.
The part that should bother people more than the number is what the attack actually required.
Kelp’s bridge had a 1-of-1 verifier configuration meaning exactly one entity had to sign off on any cross-chain message for the bridge to act on it. One. There was no second check. No redundancy. North Korea found the one thing that had to go wrong and made it go wrong and now $13 billion in DeFi TVL is gone and Aave has $196 million in bad debt sitting on its books from collateral that was never real.
The thesis that DeFi is trustless has always quietly depended on the infrastructure underneath it actually being trustworthy and Lazarus Group just finished reading the fine print.
https://www.reddit.com/r/CryptoCurrency/comments/1srfib8/north_korea_just_stole_292_million_from_defi_and/
Posted by Repulsive_Counter_79