The rsETH Precedent: Why a Routing Wrapper is a Critical Vulnerability
To illustrate why these architectural concerns are not just theoretical, we only need to look at the devastating $292 million rsETH (KelpDAO/LayerZero) exploit from April of this year.
It is vital to understand that the rsETH incident was not a smart contract failure or a cryptographic bug. It was a highly sophisticated, targeted attack on off-chain infrastructure and RPC routing.
The attackers compromised specific internal RPC nodes and simultaneously executed a DDoS attack on the healthy, external RPC nodes. This forced the network’s verification traffic to “failover” and route entirely through the compromised infrastructure. Because the system relied on a centralized verification bottleneck, the attackers were able to feed falsified blockchain data to the bridge, tricking it into releasing nearly $300 million based on a phantom transaction.
The parallels to our current proposal are alarming.
The trend is clear: sophisticated attackers are shifting their focus away from heavily audited smart contracts and toward the Web2 routing and infrastructure layers that connect them. By introducing a centralized GeoDNS/load-balancing wrapper, we are actively designing the exact type of traffic bottleneck that malicious actors are now targeting.
If we establish a centralized load balancer—especially while simultaneously discussing budget cuts that reduce the total number of independent, decentralized RPC providers—we drastically reduce Polkadot’s resilience. We make it exponentially easier for an attacker to hijack the central wrapper, compromise the admin keys, or DDoS the honest endpoints to feed poisoned state data to our dApps, off-chain workers, and bridge relayers.
We cannot trade cryptographic trustlessness for Web2 convenience. If we need automated proximity routing and failover, it must be built safely on the client side to preserve strict end-to-end encryption. I urge the proposers and the community to restrict this bounty strictly to direct, decentralized RPC endpoints before we officially fund a critical vulnerability.