🚨 NOTICE OF CASCADING L2 RATE PROVIDER DOS & INTEGRATION RISK (KELP DAO / rsETH)
To: Balancer Core Security Team & Registry Maintainers
Context: Safe Harbor Integration Risk / Update to Issue #81 (rsETH Rate Provider - Arbitrum One)
Reporter: White-Hat Specialist (Wallet: 0x013C92165E87d283070313Ff0f1898C9cb416dCa)
1. VULNERABILITY OVERVIEW (SNAPSHOT: BLOCK 466010181)
During the emergency operational halt of Kelp's L1 infrastructure, live mainnet queries to getRate() (0x679aefce) targeting the documented L2 governance/rate infrastructure component at 0x96D97D66d4290C9182A09470a5775FF90DAf922c aborted with an explicit low-level execution failure:
REVERT: Internal error (error code 19)
Because the registry architecture lacked internal try/catch encapsulation or temporal fallback mechanics, this exception—the exclusive bytecode signature of Kelp's internal whenNotPaused modifier—bubbled up into the downstream execution stack.
The Gnosis Safe Fallacy:
Upstream triage personnel attempted to dismiss the finding by claiming that 0x96D97D66... is a standard Gnosis Safe without a getRate() selector. This is cryptographically and logically invalid within the EVM:
- A standard unlinked Gnosis Safe executing a staticcall to an unrecognized selector (
0x679aefce) aborts with an empty revert due to function selector mismatch within its core fallback routine.
- Under the specific state snapshot of Block 466010181, the transaction explicitly returned the string
"Internal error (error code 19)", proving an active downstream execution routing frame was processing the call during the pool freeze.
2. ECOSYSTEM IMPACT & BALANCER LP RISK
The unhandled execution frame rollback paralyzed all active integrating protocols on Arbitrum One querying the state registry:
- Balancer Vault Freeze: High-volume Balancer Pools utilizing the rate provider encountered native
exitPool() inline reverts, effectively locking user and LP liquidity (including Lido EarnETH allocations).
- MEV Front-Running / Atomic Drain: Due to the pool freeze, rsETH was trading at a violent discount on secondary markets (Uniswap V3), while the Balancer oracle stack remained anchored to the stale legacy rate (~1.03 ETH). The exact block components were unpaused/updated, it created a massive step-function price shift, leaving Balancer LPs highly vulnerable to atomic flash-loan arbitrage draining the vault reserves (estimated risk: >$1,000,000).
3. EVIDENCE OF UPSTREAM SHADOW REMEDIATION
- May 23, 2026, 04:51 AM MSK: Full technical report and remediation spec (try/catch isolation wrapper + max staleness heartbeat threshold) submitted directly to Kelp DAO via MetaCRM (Ticket ID:
6a11080b0601758fcd3ff281).
- May 23 – May 25, 2026: Kelp DAO maintained total radio silence while actively utilizing the white-hat intelligence to execute emergency rerouting of storage slots via ProxyAdmin (
0x3222d3De5A9a3aB884751828903044CC4ADC627e) to mitigate the disclosed Balancer drain vector.
- Post-Remediation: The project now claims everything "operates normally" on the new proxy, ignoring the initial critical architectural breakdown.
4. CRYPTOGRAPHIC PROOF OF CONCEPT (PoC)
The functional exploit simulation dataset validating the exact cascading rollback state transitions has been compiled and locked:
- Payload Blueprint Reference:
LRTAutonomousExploit.sol
- SHA-256 Checksum:
fbd3a6bfde9d1082ec63c95bbc1519acd5b02352364c83023f10da5e56d0b2d0
5. MANDATE FOR BALANCER SECURITY
Due to regional portal access blocks (geo-blocking), I am submitting this out-of-bounds disclosure under Safe Harbor guidelines directly to Balancer. This ensures that all current and future rate provider registries are independently audited and hardened against unhandled nested execution rollbacks from upstream dependency components.
Please open a secure communication channel (or contact via email at security@balancer.finance) to receive the full unredacted LRTAutonomousExploit.sol code.
Verified White-Hat Destination Wallet for Discretionary Grant:
0x013C92165E87d283070313Ff0f1898C9cb416dCa
🚨 NOTICE OF CASCADING L2 RATE PROVIDER DOS & INTEGRATION RISK (KELP DAO / rsETH)
To: Balancer Core Security Team & Registry Maintainers
Context: Safe Harbor Integration Risk / Update to Issue #81 (rsETH Rate Provider - Arbitrum One)
Reporter: White-Hat Specialist (Wallet:
0x013C92165E87d283070313Ff0f1898C9cb416dCa)1. VULNERABILITY OVERVIEW (SNAPSHOT: BLOCK 466010181)
During the emergency operational halt of Kelp's L1 infrastructure, live mainnet queries to
getRate()(0x679aefce) targeting the documented L2 governance/rate infrastructure component at0x96D97D66d4290C9182A09470a5775FF90DAf922caborted with an explicit low-level execution failure:REVERT: Internal error (error code 19)Because the registry architecture lacked internal
try/catchencapsulation or temporal fallback mechanics, this exception—the exclusive bytecode signature of Kelp's internalwhenNotPausedmodifier—bubbled up into the downstream execution stack.The Gnosis Safe Fallacy:
Upstream triage personnel attempted to dismiss the finding by claiming that
0x96D97D66...is a standard Gnosis Safe without agetRate()selector. This is cryptographically and logically invalid within the EVM:0x679aefce) aborts with an empty revert due to function selector mismatch within its core fallback routine."Internal error (error code 19)", proving an active downstream execution routing frame was processing the call during the pool freeze.2. ECOSYSTEM IMPACT & BALANCER LP RISK
The unhandled execution frame rollback paralyzed all active integrating protocols on Arbitrum One querying the state registry:
exitPool()inline reverts, effectively locking user and LP liquidity (including Lido EarnETH allocations).3. EVIDENCE OF UPSTREAM SHADOW REMEDIATION
6a11080b0601758fcd3ff281).0x3222d3De5A9a3aB884751828903044CC4ADC627e) to mitigate the disclosed Balancer drain vector.4. CRYPTOGRAPHIC PROOF OF CONCEPT (PoC)
The functional exploit simulation dataset validating the exact cascading rollback state transitions has been compiled and locked:
LRTAutonomousExploit.solfbd3a6bfde9d1082ec63c95bbc1519acd5b02352364c83023f10da5e56d0b2d05. MANDATE FOR BALANCER SECURITY
Due to regional portal access blocks (geo-blocking), I am submitting this out-of-bounds disclosure under Safe Harbor guidelines directly to Balancer. This ensures that all current and future rate provider registries are independently audited and hardened against unhandled nested execution rollbacks from upstream dependency components.
Please open a secure communication channel (or contact via email at
security@balancer.finance) to receive the full unredactedLRTAutonomousExploit.solcode.Verified White-Hat Destination Wallet for Discretionary Grant:
0x013C92165E87d283070313Ff0f1898C9cb416dCa