# Hack Related Articles

HTX News Center provides the latest articles and in-depth analysis on "Hack", covering market trends, project updates, tech developments, and regulatory policies in the crypto industry.

$292 Million KelpDAO Cross-Chain Bridge Hack: Who Should Foot the Bill?

On April 18, 2026, an attacker stole 116,500 rsETH (worth ~$292M) from KelpDAO’s cross-chain bridge in 46 minutes—the largest DeFi exploit of 2026. The stolen assets were deposited into Aave V3 as collateral, causing $177–200M in bad debt and triggering a cascade of losses across nine DeFi protocols. Aave’s TVL dropped by ~$6B overnight. This legal analysis argues that KelpDAO and LayerZero Labs share concurrent liability, with fault apportioned 60%/40%. KelpDAO negligently configured its bridge with a 1-of-1 decentralized verifier network (DVN)—a single point of failure—despite LayerZero’s explicit recommendation of a 2-of-3 setup. LayerZero, which operated the compromised DVN, failed to secure its RPC infrastructure against a known poisoning attack vector. Both protocols’ terms of service cap liability at $200 (KelpDAO) or $50 (LayerZero), but these limits are likely unenforceable due to unconscionability, gross negligence exceptions, and potential securities law invalidation (if rsETH is deemed a security under the Howey test). Aave’s governance also faces fiduciary duty claims for raising rsETH’s loan-to-value ratio to 93%—far above competitors’ 72–75%—without adequately assessing bridge risks, amplifying the systemic fallout. Practical recovery targets include LayerZero Labs (a registered Canadian entity), KelpDAO’s founders, auditors, and identifiable Aave governance delegates. The incident underscores escalating legal risks for DeFi protocols, infrastructure providers, and governance participants.

marsbit04/24 06:25

$292 Million KelpDAO Cross-Chain Bridge Hack: Who Should Foot the Bill?

marsbit04/24 06:25

Aave Is Surrendering the Throne of DeFi Lending Due to Its Own Stupidity

Aave, a leading DeFi lending protocol, is facing a severe crisis and losing its dominant market position due to its poor handling of a recent security incident. The crisis began when Kelp DAO suffered a hack resulting in a loss of $292 million in rsETH. In the aftermath, approximately $17.2 billion in funds flowed out of Aave as user panic escalated. The article criticizes Aave's crisis management as "extremely foolish." Instead of promptly offering reassurance or committing to cover the potential bad debt—estimated between $123.7 million and $230.1 million, which Aave could have afforded—the protocol initially deflected blame, emphasizing that its code was not at fault. This delay and lack of a clear guarantee led to widespread user anxiety, triggering a bank run-like scenario where users withdrew funds or borrowed aggressively from other pools, causing liquidity shortages. Meanwhile, Aave’s competitor Spark—a fork of Aave’s own code—has benefited significantly. Having removed support for rsETH months earlier, Spark avoided any losses from the incident and has since seen its TVL grow by nearly $2 billion, attracting major deposits such as over $1.24 billion from Justin Sun. Spark has actively capitalized on the situation, publicly criticizing Aave’s security reputation. Although Aave’s founder Stani eventually announced a relief plan named "DeFi United" with several partners and a personal donation, the damage to user trust and capital outflows may be irreversible. The article concludes that Aave is losing its throne in DeFi lending to aggressive competitors like Spark, Morpho, and Jupiter Lend.

Odaily星球日报04/24 02:38

Aave Is Surrendering the Throne of DeFi Lending Due to Its Own Stupidity

Odaily星球日报04/24 02:38

Six Years Since DeFi Summer, How Will the Decentralized Financial Revolution Continue?

In 2026, the DeFi sector faces a severe trust crisis following a series of high-profile security breaches, including a $292 million theft from KelpDAO’s rsETH, a $2.85 million exploit at Drift Protocol due to permission vulnerabilities, and a $14.9 million lending failure at Venus Protocol. These incidents triggered a withdrawal of approximately $10 billion from DeFi over a single weekend, highlighting systemic risks beyond smart contract flaws—such as governance, cross-chain complexity, and operational weaknesses. Despite these challenges, on-chain finance continues to grow, with capital shifting toward safer, regulated products. Stablecoins like USDT ($185B) and USDC ($78B) have reached a combined market cap of $263 billion, while tokenized U.S. Treasuries surged to $10.93 billion. Visa’s growing USDC settlement volume, now annualized at $3.5 billion, signals increasing institutional adoption of compliant blockchain-based financial infrastructure. The competition for the future of on-chain finance is intensifying. While native DeFi struggles with trust and capital outflows, regulated products—stablecoins, tokenized assets, and ETFs—are gaining dominance by offering programmable, 24/7 settlement without high DeFi risks. Over 80 crypto projects shut down in Q1 2026, reflecting dwindling patience for speculative ventures. The core challenge for open DeFi is to rebuild trust and demonstrate irreplaceable value—or risk ceding its role as the primary entry point to on-chain finance.

marsbit04/21 09:10

Six Years Since DeFi Summer, How Will the Decentralized Financial Revolution Continue?

marsbit04/21 09:10

Arbitrum Pretends to Be the Hacker, 'Steals' Back the Money Lost by KelpDAO

Title: Arbitrum Poses as Hacker to Recover Stolen Funds from KelpDAO Last week, KelpDAO suffered a hack resulting in nearly $300 million in losses, marking the largest DeFi security incident this year. Approximately 30,765 ETH (worth over $70 million) remained on an Arbitrum address controlled by the attacker. In an unprecedented move, Arbitrum’s Security Council utilized its emergency authority to upgrade the Inbox bridge contract, adding a function that allowed them to impersonate the hacker’s address and initiate a transfer without access to its private key. The council’s action, approved by 9 of its 12 members, moved the stolen ETH to a frozen address in a single transaction before reverting the contract to its original state. The operation was coordinated with law enforcement, which attributed the attack to North Korea’s Lazarus Group. Community reactions are divided: some praise the recovery of funds, while others question the centralization of power, as the council can upgrade core contracts without governance votes. However, such emergency mechanisms are common among major L2s. Despite the partial recovery, over $292 million was stolen in total, with more than $100 million in bad debt on Aave and remaining funds scattered across other chains. The incident highlights escalating security challenges in DeFi, with state-sponsored hackers employing advanced tactics and L2s responding with elevated countermeasures.

marsbit04/21 07:59

Arbitrum Pretends to Be the Hacker, 'Steals' Back the Money Lost by KelpDAO

marsbit04/21 07:59

The $290 Million Deficit: A Three-Way Game Between Aave, L0, and Kelp—Who Should Foot the Bill?

An incident involving the theft of 116,500 rsETH (worth approximately $290 million) from Kelp DAO’s cross-chain bridge contract has triggered a complex dispute over responsibility and compensation among Kelp DAO, LayerZero, and Aave. The attack occurred due to a compromised RPC provider used by LayerZero’s Decentralized Verifier Network (DVN). Since Kelp DAO’s bridge used a 1/1 DVN configuration—a single point of failure—the attacker successfully forged a cross-chain message, leading to the unauthorized release of rsETH tokens from the mainnet. These genuine tokens were then deposited into Aave and other lending platforms to borrow WETH, enabling the attacker to exit with the funds. Responsibility is attributed primarily to Kelp DAO for its risky 1/1 DVN setup. LayerZero bears secondary responsibility for permitting such a vulnerable configuration in its protocol layer. Aave also shares indirect blame for over-collateralizing rsETH and other Liquid Restaking Token (LRT) assets without adequate ongoing risk oversight. Kelp DAO lacks sufficient funds to cover the loss, shifting focus to the deeper-pocketed players: LayerZero, whose cross-chain ecosystem and reputation are at risk, and Aave, which faces massive bad loans and declining Total Value Locked (TVL). Aave has asserted that mainnet rsETH remains fully backed, implying it expects Kelp DAO to allow redemption of underlying ETH. This approach would preserve Aave’s mainnet positions but invalidate Layer2 rsETH, damaging LayerZero’s cross-chain credibility. Potential solutions include: - A universal 18.5% haircut on all rsETH holders, causing significant Aave bad debt. - Writing off Layer2 rsETH entirely, protecting Aave mainnet but harming LayerZero and Kelp DAO. - Negotiating a bounty with the hacker for partial fund return. - A joint bailout, possibly led by LayerZero’s ecosystem fund, given its long-term stake in the cross-chain ecosystem. The situation remains unresolved as the parties negotiate, but prolonged delay risks broader DeFi instability, including potential liquidity crises and loss of confidence in LRT and cross-chain infrastructures.

Odaily星球日报04/20 08:52

The $290 Million Deficit: A Three-Way Game Between Aave, L0, and Kelp—Who Should Foot the Bill?

Odaily星球日报04/20 08:52

活动图片