# KelpDAO Articoli collegati

Il Centro Notizie HTX fornisce gli articoli più recenti e le analisi più approfondite su "KelpDAO", coprendo tendenze di mercato, aggiornamenti sui progetti, sviluppi tecnologici e politiche normative nel settore crypto.

Kelp DAO Hack: Aave DAO Proposes To Contribute 25,000 ETH To Recovery Efforts

Aave DAO has proposed contributing 25,000 ETH from its treasury to a coordinated recovery effort following a major exploit on Kelp DAO. The attack, which occurred on April 18, targeted Kelp's rsETH Ethereum LayerZero adapter, resulting in a loss of approximately 163,183 ETH. Through frozen assets, recovered funds, and expected liquidations, over half the deficit has been covered, but a gap of roughly 75,081 ETH remains. A coalition named "DeFi United," including pledges from EtherFi, Lido, Ethena, and a credit line from Mantle, is mobilizing to restore the system. Aave's anchored contribution is a key part of this effort to reintroduce liquidity and fully back the affected tokens.

bitcoinist04/25 15:02

Kelp DAO Hack: Aave DAO Proposes To Contribute 25,000 ETH To Recovery Efforts

bitcoinist04/25 15:02

Aave Is Surrendering the Throne of DeFi Lending Due to Its Own Stupidity

Aave, a leading DeFi lending protocol, is facing a severe crisis and losing its dominant market position due to its poor handling of a recent security incident. The crisis began when Kelp DAO suffered a hack resulting in a loss of $292 million in rsETH. In the aftermath, approximately $17.2 billion in funds flowed out of Aave as user panic escalated. The article criticizes Aave's crisis management as "extremely foolish." Instead of promptly offering reassurance or committing to cover the potential bad debt—estimated between $123.7 million and $230.1 million, which Aave could have afforded—the protocol initially deflected blame, emphasizing that its code was not at fault. This delay and lack of a clear guarantee led to widespread user anxiety, triggering a bank run-like scenario where users withdrew funds or borrowed aggressively from other pools, causing liquidity shortages. Meanwhile, Aave’s competitor Spark—a fork of Aave’s own code—has benefited significantly. Having removed support for rsETH months earlier, Spark avoided any losses from the incident and has since seen its TVL grow by nearly $2 billion, attracting major deposits such as over $1.24 billion from Justin Sun. Spark has actively capitalized on the situation, publicly criticizing Aave’s security reputation. Although Aave’s founder Stani eventually announced a relief plan named "DeFi United" with several partners and a personal donation, the damage to user trust and capital outflows may be irreversible. The article concludes that Aave is losing its throne in DeFi lending to aggressive competitors like Spark, Morpho, and Jupiter Lend.

Odaily星球日报04/24 02:38

Aave Is Surrendering the Throne of DeFi Lending Due to Its Own Stupidity

Odaily星球日报04/24 02:38

DeFi Falls into the Most Dangerous Prisoner's Dilemma in History

ChainCatcher author Gu Yu analyzes the severe fallout from the Kelp DAO exploit, which has triggered a crisis of confidence across the DeFi ecosystem, implicating major projects like Aave, LayerZero, and Arbitrum. The attack, attributed to the Lazarus Group, exploited a single-validator (1/1) configuration in LayerZero’s decentralized verification network (DVN), leading to over $40M in losses. LayerZero’s official report claimed its protocol “operated as expected” and deflected blame onto Kelp DAO’s configuration choices, sparking backlash from developers and researchers who criticized its avoidance of responsibility. Meanwhile, Arbitrum’s security committee intervened by using a privileged transaction to freeze and recover ~30,766 ETH ($71M) from the hacker’s address—a move praised for pragmatism but criticized for undermining Layer2 decentralization ideals. The incident has intensified debates on cross-chain bridge security, Layer2 centralization risks, and the tension between practical security measures and decentralized principles. With Aave facing ~$200M in bad debt and no clear compensation plan from Kelp DAO or LayerZero, the situation reflects a dangerous “prisoner’s dilemma” where key players prioritize self-interest over collective trust, threatening foundational DeFi narratives.

marsbit04/21 12:41

DeFi Falls into the Most Dangerous Prisoner's Dilemma in History

marsbit04/21 12:41

Arbitrum Pretends to Be the Hacker, 'Steals' Back the Money Lost by KelpDAO

Title: Arbitrum Poses as Hacker to Recover Stolen Funds from KelpDAO Last week, KelpDAO suffered a hack resulting in nearly $300 million in losses, marking the largest DeFi security incident this year. Approximately 30,765 ETH (worth over $70 million) remained on an Arbitrum address controlled by the attacker. In an unprecedented move, Arbitrum’s Security Council utilized its emergency authority to upgrade the Inbox bridge contract, adding a function that allowed them to impersonate the hacker’s address and initiate a transfer without access to its private key. The council’s action, approved by 9 of its 12 members, moved the stolen ETH to a frozen address in a single transaction before reverting the contract to its original state. The operation was coordinated with law enforcement, which attributed the attack to North Korea’s Lazarus Group. Community reactions are divided: some praise the recovery of funds, while others question the centralization of power, as the council can upgrade core contracts without governance votes. However, such emergency mechanisms are common among major L2s. Despite the partial recovery, over $292 million was stolen in total, with more than $100 million in bad debt on Aave and remaining funds scattered across other chains. The incident highlights escalating security challenges in DeFi, with state-sponsored hackers employing advanced tactics and L2s responding with elevated countermeasures.

marsbit04/21 07:59

Arbitrum Pretends to Be the Hacker, 'Steals' Back the Money Lost by KelpDAO

marsbit04/21 07:59

LayerZero Breaks Silence On $290 Million KelpDAO Crypto Exploit

LayerZero has addressed the $290 million exploit affecting KelpDAO's rsETH, asserting it was not a protocol failure but a result of KelpDAO's decision to use a single-DVN (Decentralized Verifier Network) configuration. The company claims the attack was isolated to this specific setup and confirms no contagion risk to other assets or applications. Preliminary analysis suggests the attack was executed by a sophisticated state actor, likely North Korea's Lazarus Group. The method involved poisoning RPC infrastructure used by the LayerZero Labs DVN, swapping binaries on compromised nodes, and using DDoS attacks to force traffic to the malicious infrastructure. However, LayerZero states its least-privilege principles prevented a direct compromise. The exploit was only possible due to KelpDAO's 1-of-1 verifier setup, which contradicts LayerZero's recommended multi-DVN redundancy model. A properly configured system with multiple independent DVNs would have prevented the attack. LayerZero has deprecated affected nodes, restored its DVN, and will no longer support 1/1 configurations. Aave has frozen rsETH and WETH reserves on its platforms as a precaution while confirming rsETH on Ethereum mainnet remains fully backed.

bitcoinist04/20 15:01

LayerZero Breaks Silence On $290 Million KelpDAO Crypto Exploit

bitcoinist04/20 15:01

The $290 Million Deficit: A Three-Way Game Between Aave, L0, and Kelp—Who Should Foot the Bill?

An incident involving the theft of 116,500 rsETH (worth approximately $290 million) from Kelp DAO’s cross-chain bridge contract has triggered a complex dispute over responsibility and compensation among Kelp DAO, LayerZero, and Aave. The attack occurred due to a compromised RPC provider used by LayerZero’s Decentralized Verifier Network (DVN). Since Kelp DAO’s bridge used a 1/1 DVN configuration—a single point of failure—the attacker successfully forged a cross-chain message, leading to the unauthorized release of rsETH tokens from the mainnet. These genuine tokens were then deposited into Aave and other lending platforms to borrow WETH, enabling the attacker to exit with the funds. Responsibility is attributed primarily to Kelp DAO for its risky 1/1 DVN setup. LayerZero bears secondary responsibility for permitting such a vulnerable configuration in its protocol layer. Aave also shares indirect blame for over-collateralizing rsETH and other Liquid Restaking Token (LRT) assets without adequate ongoing risk oversight. Kelp DAO lacks sufficient funds to cover the loss, shifting focus to the deeper-pocketed players: LayerZero, whose cross-chain ecosystem and reputation are at risk, and Aave, which faces massive bad loans and declining Total Value Locked (TVL). Aave has asserted that mainnet rsETH remains fully backed, implying it expects Kelp DAO to allow redemption of underlying ETH. This approach would preserve Aave’s mainnet positions but invalidate Layer2 rsETH, damaging LayerZero’s cross-chain credibility. Potential solutions include: - A universal 18.5% haircut on all rsETH holders, causing significant Aave bad debt. - Writing off Layer2 rsETH entirely, protecting Aave mainnet but harming LayerZero and Kelp DAO. - Negotiating a bounty with the hacker for partial fund return. - A joint bailout, possibly led by LayerZero’s ecosystem fund, given its long-term stake in the cross-chain ecosystem. The situation remains unresolved as the parties negotiate, but prolonged delay risks broader DeFi instability, including potential liquidity crises and loss of confidence in LRT and cross-chain infrastructures.

Odaily星球日报04/20 08:52

The $290 Million Deficit: A Three-Way Game Between Aave, L0, and Kelp—Who Should Foot the Bill?

Odaily星球日报04/20 08:52

An Open-Source AI Tool That No One Saw Predicted Kelp DAO's $292 Million Vulnerability 12 Days Ago

An open-source AI security tool flagged critical risks in Kelp DAO’s cross-chain architecture 12 days before a $292 million exploit on April 18, 2026—the largest DeFi incident of the year. The vulnerability was not in the smart contracts but in the configuration of LayerZero’s cross-chain bridge: a 1-of-1 Decentralized Verifier Network (DVN) setup allowed an attacker to forge cross-chain messages with a single compromised node. The tool, which performs AI-assisted architectural risk assessments using public data, identified several unremediated risks, including opaque DVN configuration, single-point-of-failure across 16 chains, unverified cross-chain governance controls, and similarities to historical bridge attacks like Ronin and Harmony. It also noted the absence of an insurance pool, which amplified losses as Aave and other protocols absorbed nearly $300M in bad debt. The attack unfolded over 46 minutes: the attacker minted 116,500 rsETH on Ethereum via a fraudulent message, used it as collateral to borrow WETH on lending platforms, and laundered funds through Tornado Cash. While an emergency pause prevented two subsequent attacks worth ~$200M, the damage was severe. The tool’s report, committed to GitHub on April 6, scored Kelp DAO a medium-risk 72/100—later acknowledged as too lenient. It failed to query on-chain DVN configurations or initiate private disclosure, highlighting gaps in current DeFi security approaches that focus on code audits but miss config-level and governance risks. The incident underscores the need for independent, AI-powered risk assessment tools that evaluate protocol architecture, not just code.

marsbit04/20 03:23

An Open-Source AI Tool That No One Saw Predicted Kelp DAO's $292 Million Vulnerability 12 Days Ago

marsbit04/20 03:23

Kelp DAO Suffers $292 Million rsETH Exploit – Details

Kelp DAO has suffered a major cross-chain exploit resulting in the loss of approximately 116,500 rsETH, valued at nearly $292 million. The attack targeted a vulnerability in the protocol's cross-chain bridge mechanism, specifically through LayerZero’s EndpointV2. On-chain investigator ZachXBT first identified the breach, noting that the attacker used Tornado Cash to conceal funding sources. In response, Kelp DAO immediately paused all rsETH contracts across mainnet and Layer-2 networks, preventing two additional attempts to drain another $100 million in assets. The protocol is collaborating with LayerZero and Unichain for a full investigation. The incident has impacted the broader DeFi ecosystem, leading Aave to freeze rsETH markets on its V3 and V4 deployments as a precaution, though its own contracts remain secure. The stolen rsETH represents around 18% of its circulating supply, significantly damaging liquidity and user confidence.

bitcoinist04/19 22:33

Kelp DAO Suffers $292 Million rsETH Exploit – Details

bitcoinist04/19 22:33

DeFi Hacked Again for $292 Million, Is Even Aave No Longer Safe?

On April 19, a major DeFi security breach occurred, resulting in the loss of approximately $292 million. The attack targeted Kelp DAO’s rsETH bridge contract built on LayerZero, with 116,500 rsETH stolen. The attacker initiated the exploit using funds from Tornado Cash and manipulated the LayerZero EndpointV2 contract to transfer the assets. Kelp DAO confirmed the incident and temporarily paused rsETH contracts across multiple networks while collaborating with security experts for investigation. Initial analysis suggests the root cause was a compromised private key on the source chain, with the contract secured by only a 1/1 validator set, making it vulnerable to a single malicious transaction. The attacker used the stolen rsETH as collateral on lending platforms—including Aave, Compound, and Euler—to borrow more liquid assets like WETH, accumulating over $236 million in debt. Aave alone accounted for $196 million of this amount. In response, Aave froze its rsETH markets and stated it would explore covering potential bad debt through its Umbrella safety module, which holds around $50 million in WETH. This incident follows another large exploit earlier in April, where Drift Protocol on Solana lost $280 million. The repeated high-value attacks raise concerns about DeFi security, even affecting major protocols like Aave. Users are advised to exercise caution, diversify holdings, and limit exposure to on-chain protocols until more robust security measures are established.

marsbit04/18 23:31

DeFi Hacked Again for $292 Million, Is Even Aave No Longer Safe?

marsbit04/18 23:31

DeFi Hacked Again, Losing $292 Million: Is Even Aave No Longer Safe?

On April 19, DeFi suffered another major security breach, with liquid staking protocol Kelp DAO losing approximately 116,500 rsETH (worth around $292 million) due to an exploit in its LayerZero-based bridge contract. The attack originated from a compromised private key on the source chain, allowing the hacker to initiate unauthorized transfer via a single validator. The attacker used the stolen rsETH as collateral on lending platforms including Aave, Compound, and Euler to borrow more liquid assets like wETH, resulting in over $236 million in debt—$196 million from Aave alone. Aave quickly froze its rsETH markets and announced it would explore covering potential bad debt through its Umbrella safety module, which holds about $50 million in WETH. This incident follows a $280 million exploit on Solana’s Drift Protocol earlier in April, raising further concerns about DeFi security. Even established protocols like Aave are now indirectly exposed, prompting warnings for users to diversify holdings and limit exposure to smart contract risks. Investigations are ongoing.

Odaily星球日报04/18 23:24

DeFi Hacked Again, Losing $292 Million: Is Even Aave No Longer Safe?

Odaily星球日报04/18 23:24

活动图片

Industry News

Project Updates