Who's going to pay for the game

Original Odaily Daily@OdailyChinaI'm not sure

By Azuma@azuma ethI'm not sure

The rsETH bridge contract from Kelp DAO has been stolen for more than 30 hours, and the parties concerned (Layer Zero, Kelp DAO, Aave) have continued to express themselves (mainly in the “sling pot”, emphasizing that they are not wrong) but have not yet given a final solution。

Therefore, this paper would like to talk about the current positions and attitudes of the parties involved, explore the reasons for the delay in finalizing the programme and try to guess how the event might eventually be resolved。

Odaily note: Previously on Love:DeFi stole $292 million again, and it's not even safe for AaveI don't know。

Who is responsible

First of all, the issue of accountability should be discussed。

According to the details of LayerZero, the immediate cause of the incident was quite clear, namely that the downstream RPC infrastructure on which LayerZero operated the decentrized certification network (DVN) had been breached (see analysis of the slow-mog founder cosine below) and that, since the Kelp DAO bridge contract used 1/1 DVD, the attackers would be able to complete the attack only by completing a false information verification。

SayerZero believes that Kelp DAO, which uses 1/1 DVD configurations, is the most directly responsible party for the incident. There's nothing to say about that. Such an obvious “single-point failure” is out of order。

But as a bottom-up cross-chain agreement, LayerZero should also be partly responsible. LayerZero allows each upper layer to apply the number and threshold of self-configured DVDs. Although 1/1 of the DVDs is Kelp DAO's choice, as the designer of the bottom structure, the settings of this version should be circumvented。

Finally, loan agreements such as Aave (emphasis added here) are also indirect victims, but the fact that Aave has objectively granted rsETH and other LRT excessive lending powers for expansion purposes is also a direct cause of its current passivity. Besides, it's worth mentioning that the former wind control team, BGD Labs, was clear last JanuaryNoteThrough Kelp DAO ' s DVD issue, Kelp accepted the recommendation at that time, but apparently did not modify ... Aave ' s failure to continue monitoring and response was also self-efficient。

So the verdict is clearKelp DAO is responsible, Layer Zero is liable, and Aave has some indirect liability。

The awkward reality

The reality is always more complex than theoretical expectations。The most important question is that the Kelp DAO team, which is primarily responsible, can't make up so much money to make up the hole..It's good to reduce the losses directly from all rsETH, and it's bad luck to stab Layer2 currency holders。

So who has the moneyThe first was a reputational crisis as a result of the incident, which had been temporarily suspended by a number of institutions and agreements, such as Bitgo, Tron, Ethena, Curve, and either.fi, looking at Layer Zero, who could lose a large cross-chain share; and the second was Aave, who faced huge potential bad debts and was watching billions of dollars of TVL lost。

So now the "ghosts" are clear. Kelp DAO, the main party responsible, is largely paralysed, unable to take charge of the follow-up payments, and what to do is to negotiate with the two brothers; at the same time, the sub-accounters and indirect liables, Layer Zero and Aave, have stated that there are no loopholes in their own agreements, that they do not want to take this much of a pot easily ... So the situation seems to be a little stagnating。

But I don't think it's going to last long, because there's a need for both agreements to solve the problem as soon as possible -- LayerZero can't give up its own OFT cross-chain ecological map; and Aave can't ignore the continuing outflow of stock。

The key to the game

This morning, Aave issued an updated statement on this event, one of the most important messages of which is that Aave stressed:The rsETH on the Ether host network is well supportedI'm sorry。

How do you understand that? Need to start with the design of rsETH。

rsETH is essentially a liquid pledge token issued by Kelp DAO, each of which has a base of 1 rsETH supported by an ETH in a pledge and re-commitment system with a path of “ETH - Lido - EigenLayer - Kelp DAO - rsETH”。

The main web-based rsETH, Kelp DAO, is the original certificate token issued on the Ether House, and later, in order to expand in the Layer2 ecology, Kelp DAO will map the main web rsETH to the big Layer2 by relying on the Layer Zero's cross-bridge contract (that is, something that happened in this event). Every rsETH that is published in Layer2 will be deposited in Kelp DAO's hosting contract until the rsETH on Layer2 is released。

Well, now go back to the accident itself. The reason for the theft is mentioned earlierThat is, hackers have forged cross-link information by cheating on DVD, resulting in the bridge contract being “misrely released” 116,500 rsETH - not by printing the new currency in a blank, but by obtaining the original voucher token that should not have been released on the Internet。

The problem is that this part of the coin has been distributed over Layer2 by mapping, that the main online token is sealed, that hackers have been able to deposit it into loan agreements such as Aave and borrow better liquid WETH, thus completing their escape – again, it is true that the rsETH deposited by hackers is so that Aave supports mortgage lending。

Now it's interesting to look back at Aave's statement. "The rsETH on the Ether host network is well-supported," says the phrase:The money is real, Kelp DAO, and you're supposed to be supporting us to take it back to the bottom of the ETHIt's not the same

This should be Aave's tendency. While emphasizing the value of the main web rsETH means that the value of the Layer 2 map rsETH will be ignored, it would also result in bad debts because Aave itself has some rsETH debt position in the lending product above Layer2 (real time size of $359 million). But the dichotomy is light, and Aave's probability is to assess the potential impact of the two options, considering that it is in their best interest to maintain the core products of the main network。

But it's just a statement from the Aave family, and it's still up to LayerZero and Kelp DAO to reach agreement。

Although the latter has not yet made a further statement, I personally find it difficult to accept this option because abandoning the Layer2 map would directly threaten the cross-chain goodwill of LayerZero。

Potential solutions

The problem will eventually be solved. In the past two days, social media activists from all walks of life have been giving their ideas to Aave, LayerZero, Kelp DAO。

The founder of DefiLlama, 0xngmi, developed three possible paths, but also indicated that there were obvious flaws in all three paths。The first route is for all rsETH currency holders to share the value reduction of 18.5 per cent (the loss of tokens/issues of tokens), Kelp DAO to take the fall, and Aave to bear the bad debts of the main web site of approximately $216 million; the second route is to ignore the value of all Layer2 maprs rsETH, so that the main web product of Aave will be preserved, but the Layer2 map is likely to collapse and Kelp DAO goodwill will be zero; and the third route is for the rsETH holder before the hack attack to be reimbursed in full on the basis of a flashbook, and the holder of the subsequent purchase or transfer will bear the loss, but it is virtually impossible to operate because the funds have been flowing after the attack。

OneKey founder Yishi says:Now, the best result is to talk to hackers, give them 10-15% bounty, get the big head back. The LayerZero Eco-Foundation, with its wealthiest and most long-term benefits, can save the OFT ecology。Kelp DAO is the poorest, either token + future income supplement, or simply package the whole project to LayerZero or Bitmine. Umbrella and stkaAVE go down the last floor of Aave's Umbrala and stkaave, but WETH depositors can never take a value reduction, otherwise Morpho, Spark, Fluid, Euler is all price-oriented, LRT tracks are all blacked out, and the entire DeFi industry is three years back.”

In any case, it is certain that the parties will continue to do so for a while, after all, involving hundreds of millions of degrees of real money and silver, and that no one wants to be the worst。

As for how much time it would take to give a programme, it was also mentioned earlier that neither of the two giants could afford to take too long。Layer Zero is now forced into a pause by major cooperation agencies and agreements, and long after these partners are bound to change the path across the chain; and Aave is not optimistic that the use of multiple pools has reached 100 per cent and the depositors are in a state of “setdown” ... If ETH suddenly collapses, Aave is likely to get more bad debts because of the inability to effectively liquidate (as is currently the case) and eventually the problem will get bigger as snowballs  -- this is the point where the industry's roots may be frustrated, and no one will be happy to see it。