SlowMist Cosine: Kelp attackers used a single-signature configuration, with transaction fees sourced from Tornado Cash.

CoinFeed reported on April 19th that, regarding the Kelp theft of 116,500 rsETH, SlowMist's preliminary analysis suggests that the attacker used a 1/1 DVN configuration on LayerZero, the classic "single signature" configuration, while the official LayerZero documentation recommends a 2/2 configuration by default. This "single signature, single point of contact" configuration may have been compromised by social engineering techniques (this is just speculation, pending further investigation). The attacker successfully absconded with 116,500 rsETH on Ethereum, and actually attempted to abscond with another 40,000 rsETH twice, but failed. The attacker's transaction fees came from Tornado Cash. The 116,500 rsETH was dispersed and liquidated, putting pressure on various staking platforms, especially Aave, which is now experiencing massive bad debts.