Kelo, LayerZero, Arbitrum and DAO Custody

The recent Kelp DAO–LayerZero–Arbitrum–Aave mess brings together a lot of longstanding problems. And the fights over who is responsible and where the losses go is going to be a thing of beauty. It is also quite likely some involved parties end up with bigger trouble than they anticipated when they took action to respond. There are some very wide-ranging implications of what happened here. And a lot of industry dishonesty was unmasked when people took surprising actions.

To understand all of this we are going to review what happened. Then compare what several involved parties did – and how those actions conflict with those very same parties longstanding claims. Finally, we will talk about some likely consequences of those actions.

None of this is new. In fact Binance modifying the code for Binance Smart Chain to freeze assets of the BNB Bridge hacker is a near-perfect copy of the latest incident. A bridging thing was hacked. Dodgy tokens were printed. They are deposited as collateral to borrow other assets. In that case it was not Aave but rather Venus. Then a blockchain decided to freeze what were supposed to be bearer assets to save everyone. The details differ a little. But the current incident certainly rhymes with that. From 2022. You have to wonder where things would stand if action was taken against Binance for running BSC as a custodial no-KYC platform at that time.

There is really no way around it. Only a tiny fraction of web3 is non-custodial and fully automated. Essentially no complex services have fully achieved that end-to-end. And there is little-to-no progress in the past few years. These old lines of code are still beautiful: BNB Smart Chain's off-chain blacklist and the logic that censors blacklisted state transitions.

What Happened

Kelp DAO is an Ethereum restaking protocol. To make it easier for their tokens to circulate on multiple blockchains Kelp set up a something like a bridge run by LayerZero. LayerZero is a "bridge" "provider" that has historically made some very strong and inaccurate claims about their own technology.Their own whitepaper and a lot of their marketing material calls it a "trustless" product. That is false. Over time they migrated to calling the thing trust minimized which...the key here is going to be how close to zero that minimum is right?

Kelp engaged LayerZero to run "bridging" infrastructure for them and it seems LayerZero was accepting payment to run a bridge they now describe as poorly configured. LayerZero is "trust minimized" in that it provides something like a multisig to secure cross-chain interactions and you "only" need to trust the voting threshold on the multisig.

The technical details are a little messier than that. You end up relying on a thing they call a "decentralized verifier network" (DVN) with something like an X-of-Y-of-N signing scheme. And the signers are best thought of as nodes on a permissioned blockchain connecting N separate blockchains. So just imagine you have a small permissioned blockchain node set and the nodes connect to different networks and all come to consensus on cross-chain messages. You need nodes connected to each of the involved chains. And then enough nodes on enough chains need to agree on all the cross-chain messages for this blockchain-adjacent thing to churn out asset transfers from place to place.

Kelp had a single-signature threshold linking their chains together. Someone compromised that signer and had control. Was 1-of-1-of-whatever a bad configuration? It was dumb. But it was valid. Define "bad" maybe?

Should LayerZero have accepted payment to run a DVN with this configuration? Step back and ask if a random software development consultancy should have accepted payment for this? It is insecure but it would be hard to fault developers, or auditors, that signed off on this with the right caveats. It is a valid configuration. Kelp DAO has claimed they ran the default configuration. Having said that the default is often insecure. This does not mean much.

But should LayerZero itself have accepted money to run it this way? That is harder. You may not be responsible for everything anyone does with your open source software. And you may not be responsible for every decision your clients make that you warn them might go wrong. But you kind of are responsible for bad uses of your own software that someone paid you to set up and maintain.

Anyway, Kelp's setup got exploited and that generated a lot of unbacked Kelp liquid restaking tokens. These should be worth +/- what ETH tokens are work. And because liquid restaking has until now been considered safe lots of borrowing and lending protocols will accept these tokens as collateral with a low haircuts.

Enter Aave. Unbacked restaking tokens were pledged into Aave to borrow WETH. WETH should be unfreezeable. WETH on Ethereum is unfreeezeable. ETH on Ethereum is also unfreezeable.

But a lot of this activity happened on Arbitrum. And both ETH and WETH on Arbitrum are freezeable. This surprised many people. And Arbitrum froze about 30 thousand ETH worth about US$ 70 million.

This broke 3 major assumptions in DeFi:

Unless a token has an explicit freeze function it cannot be frozen. ETH and WETH specifically are unfreezeable.
Liquid restaking's only risk is slashing. And slashing insurance lowers this to a negligible level.
The risk in overcollateralized lending is the liquidation auction stop-loss.

LayerZero has been on the receiving end of criticism for fake-decentralization for a long time. We do not really count the "discovery" LayerZero is just a small multisig as breaking any core assumptions. It is also hardly the first bridge-like thing to get exploited.

And in truth none of this is surprising. We have written extensively about many solutions pretending to solve problems by simply centralizing everything and using inaccurate marketing for years. Kelp and LayerZero here clearly offered a centralized "solution" without being terribly clear about it.

We've also talked about how many products use the word decentralized but still have discretionary control over user assets in forseeable, and forseen, conditions. Arbitrum clearly had some kind of custody, some flavour of independent control, over funds if it could seize them.

These problems, and this dishonesty, are a core reason the US has struggled to pass legislation. Too many people read the proposed rules, realize their existing business would be "clearly" classified as illegal, and lose interest in clarity.

Until this incident Arbitrum could at least pretend it was a decentralized and non-custodial platform. That is, after all, what the documentation says. But it is not what the code actually says. Or so it would seem given they seized ETH.

All of this comes together to cause some real problems.

Some Responses

Arbitrum is claiming this was all about safety. And, to be fair to Arbitrum, they kind of admit they can do this in the docs. The Arbitrum Security Council saw what it perceived to be a critical risk to Arbitrum and decided to exercise discretionary powers to seize "non-custodial" assets. Morally there is nothing wrong here.

And, of course, the Security Council could always have done this. This raises interesting legal questions we will come to in a moment. It also lays bare that at least part of Arbitrum's solution for scaling was to centralize control. That is not really up for debate anymore as the control was exercised.

Aave, on the other hand, does not have a way to reverse these transactions or seize the funds. Aave's problem, such as it is, was assuming Kelp's tokens were money good. And then Aave pools became undercollateralized when they accepted the unbacked tokens. A better auction mechanism, or a bigger haircut, will not solve that one.

Price Discovery

One thing that would have stopped the problem is quicker price discovery. Kelp was exploited to issue tokens without any corresponding ETH deposits. But Kelp still contained a bunch of ETH.

Say Kelp had 100 ETH inside and 100 outstanding tokens. These are worth 1.0 ETH each. If a hacker goes and produces an additional 100 tokens without depositing any backing what happens?

Until someone discovers the hack we have 200 tokens worth 1 ETH each. When the hack is discovered the price should drop to something like 0.5 ETH. Obviously it might do lower if Kelp is left wide open or people loose confidence in Kelp's ability to have any security. But to simplify just assume a price of 0.5. Aave now has no problem if it lends against the collateral at a value of 0.5 ETH per token.

Outstanding Aave loans backed by Kelp tokens may be uncollateralized. But that is kind of how this all works. Those loans would get liquidated and things would move on. Realistically the losses would probably end up with a liquidation bot that bought the tokens at, say, 0.8 ETH thinking it got a great deal. That bot would eat the loss.

There is no difference between this sequence of events and when a stablecoin depegs. Or when a token just randomly gaps down a lot. Aave's problem was exacerbated by the pledges happening before the price drop reflected the missing collateral. This is a variant of the slowness-of-tracing problem in compliance. Normally we think of a hacker trying to outrun a block like Railgun's failure to block the UpBit hacker in time resulting in tension within the privacy community alongside successful laundering. Here the issue was not slow tracing or propagation of knowledge about a technical issue. It was a slowly-reacting price.

If you hack Kelp there is some period of time in which only you know. Unless you the tokens the market will not react until someone else notices. Getting a loan from Aave is the same dynamic as beating Railgun's PPOI: you can only profit if you use your head start to win the race. This is a generic feature of markets and hacks.

Recovery

Aave launched a fundraising effort called DeFi United to bail out undercollateralized pools. The idea seems to be that if Aave depositors have to take a loss – even though everyone involved knew they were bearing risk, or was supposed, and was earning yield for it – it will bring down DeFi. So it is in the interest of unrelated third parties to bail this one out and keep the party going.

We think this is a stupid idea.

The problem with socialism is that you eventually run out of other people's money. - Margaret Thatcher

Risk needs to result in losses sometimes. Even if this fundraising effort succeeds there will be another larger hack and eventually there will be no bailout. FTX looked for a bailout and when it did not come things got ugly.

Further, you cannot trust users to police risks when they are not exposed to the consequences of those risks. All this bailout does it condition people that DeFi really is riskless. So when something large breaks it will be worse next time.

We also think the legal consequences for a few involved parties here will discourage taking action next time. So not only will some future problem overwhelm fundraising capacity – we think groups like Arbitrum's Security Council will be less likely to help out next time. So things will be much, much, worse.

Consequences

Truly immutable software is not capable of entering into contracts because it cannot do anything beyond what it was originally programmed to do. This was the US Fifth Circuit's logic in throwing out the Tornado Cash sanctions. And it feels reasonable to us.

But what does it mean to be "truly immutable"? It is easier to list things that do not qualify. If a DAO can upgrade the code it is not immutable. If a Security Council can take arbitrary action it is not immutable. If there are admin keys – secret or otherwise – it is not immutable.

What you instead have in these cases is a system with discretion and mutability that is ultimately governed by a group of people or companies. This is well-worn legal territory:

These groups are legally accountable for what their members do. Often any individual member can be held accountable for anything the group does through a legal concept called "joint and several liability."

That means Arbitrum's Security Council may well face scrutiny for not blocking sanctioned actor use of Arbitrum in the past. Just as LayerZero may face liability for running Kelp's system in an insecure fashion. Kelp could, for example, sue the LayerZero entity it was paying to run the bridge for negligence.

Would Kelp win? Who knows. But there is plausibly a case. Will Arbitrum's Security Council members face problems?

We will note there are a number of Iranian exchanges active on Arbitrum and two Security Council members are Israeli. One is a cybersecurity company that does smart contract audits and the like. You cannot make this stuff up.

Aave seems safest here. Aave's risk parameters turned out, ex post, to be inadequate. Of course someone could try to take legal action against something or someone Aave-linked. But Aave's got a solid defense here the risk was clearly stated and everyone involved knew exactly what they were doing.

Aave also has the most money. Who do you sue? The thing where the chance of paying multiplied by the amount of money they might pay is biggest. So somebody might have a go.

Aave also, reasonably, fears that if DeFi users realize they have been taking risk all along they might take their winnings and go home. Fair enough. We also wonder what Arbitrum users will think. This should, and probably will, cause a repricing across L2s as people wake up to the realities of custody vectors.