Incident Report: Llamarisk, Aave Service Providers Detail Kelp rsETH Hack Across Ethereum and Arbitrum Markets

An incident report published by Llamarisk to the Aave forum explains that a bridge exploit targeting KelpDAO’s Layerzero V2 rsETH route on Saturday allowed an attacker to extract 116,500 rsETH from Ethereum’s OFT adapter without burning any tokens on the source chain. Llamarisk’s report notes that this incident exposed Aave V3 markets to potential bad debt ranging from $123.7 million to $230.1 million, depending on how losses are allocated.

Key Takeaways:

The analysis published by risk management company Llamarisk and Aave service provider co-authors explained that the attack occurred at 17:35 UTC in Ethereum block 24,908,285. The Unichain-to-Ethereum route was configured as a 1-of-1 DVN path, meaning a single verifier could attest an inbound packet without any corresponding outbound action, according to the report.

Llamarisk authors said the attacker forged a packet that was verified, committed, and delivered on Ethereum, releasing 116,500 rsETH from the adapter, the Aave report notes. The adapter balance fell from 116,723 rsETH to 223 rsETH in a single block. The attacker fanned the stolen rsETH from one intake wallet across seven branch addresses. Of the 116,500 rsETH received, 89,567 were deposited into Aave V3 markets on Ethereum and Arbitrum as collateral.