DeFi Hacked Again for $292 Million, Is Even Aave No Longer Safe?

marsbitPublicado em 2026-04-18Última atualização em 2026-04-18

Resumo

On April 19, a major DeFi security breach occurred, resulting in the loss of approximately $292 million. The attack targeted Kelp DAO’s rsETH bridge contract built on LayerZero, with 116,500 rsETH stolen. The attacker initiated the exploit using funds from Tornado Cash and manipulated the LayerZero EndpointV2 contract to transfer the assets. Kelp DAO confirmed the incident and temporarily paused rsETH contracts across multiple networks while collaborating with security experts for investigation. Initial analysis suggests the root cause was a compromised private key on the source chain, with the contract secured by only a 1/1 validator set, making it vulnerable to a single malicious transaction. The attacker used the stolen rsETH as collateral on lending platforms—including Aave, Compound, and Euler—to borrow more liquid assets like WETH, accumulating over $236 million in debt. Aave alone accounted for $196 million of this amount. In response, Aave froze its rsETH markets and stated it would explore covering potential bad debt through its Umbrella safety module, which holds around $50 million in WETH. This incident follows another large exploit earlier in April, where Drift Protocol on Solana lost $280 million. The repeated high-value attacks raise concerns about DeFi security, even affecting major protocols like Aave. Users are advised to exercise caution, diversify holdings, and limit exposure to on-chain protocols until more robust security measures are established.

Original | Odaily Planet Daily (@OdailyChina)

Author | Azuma (@azuma_eth)

On April 19th, Beijing time, DeFi security suffered another major blow.

On-chain data shows that around 1:35 this morning, the rsETH bridge contract of Kelp DAO, the second-largest liquid staking protocol, based on LayerZero, was suspected to be exploited by hackers, resulting in a loss of 116,500 rsETH, valued at approximately $292 million.

Further tracing the on-chain records, the attacker's address received 1 ETH in initial funds from the mixing protocol Tornado Cash about 10 hours before the incident. Subsequently, this address called the lzReceive function on the LayerZero EndpointV2 contract. This call triggered Kelp's bridge contract, transferring 116,500 rsETH to another attacker address.

Approximately 2.5 hours after the incident, Kelp DAO officially confirmed the attack on X: "Earlier today, we detected suspicious cross-chain activity involving rsETH. During the investigation, we have suspended the rsETH contracts on the mainnet and multiple Layer 2s. Our auditors are working with security experts from LayerZero and Unichain to closely monitor the situation. We will keep you updated on the latest developments. Please follow official channels."

After the incident, various DeFi projects and security agencies analyzed the cause. An analysis by D2 Finance was frequently cited within the community — LayerZero Scan marked the source's counterpart as Kelp DAO, meaning the message came from a legitimately deployed counterpart contract by Kelp itself, and this path had previously recorded 308 message nonces. Therefore, the root cause of this attack is a 'compromise of the source chain private key.'

Steven Enamakel, a developer at TinyHumans AI, added that the contract was secured by only a 1/1 validator set (DVN), meaning a single erroneous transaction from the validator was sufficient to cause the issue.

Hacker Escapes via Aave, Suspected Bad Debt Incurred

Due to the limited trading liquidity of rsETH itself, the hacker's chosen escape strategy was to route through lending protocols like Aave, using rsETH as collateral to borrow more liquid wETH.

Monitoring by PeckShield Alert showed that as of 4:30 this morning, the hacker's address had deposited the stolen rsETH into lending protocols including Aave V3, Compound V3, and Euler, borrowing a large amount of WETH, with a total debt exceeding $236 million — of which Aave alone accounted for $196 million, Compound $39.4 million, and Euler only $840,000.

Following the incident, Aave promptly froze the rsETH market on Aave V3 and V4. The team subsequently issued an official statement on X: "Aave's contracts were not attacked; this attack is related to rsETH. Freezing rsETH is to prevent new rsETH deposits and collateral borrowing while the situation is assessed. We are reviewing the rsETH borrowing information on Aave that occurred after the attack and will share more details as soon as possible."

Shortly after the initial statement, Aave updated the post, adding: "If the protocol accumulates bad debt due to this incident, we will explore avenues to cover the deficit."

As of writing, the specific amount of bad debt caused by this incident is still unclear.

monetsupply.eth, Head of Strategy at Aave's direct competitor Spark, stated that if rsETH experiences a 19% discount (the stolen amount represents 19% of the total rsETH supply), Aave could potentially incur over $100 million in bad debt due to highly leveraged recursive borrowing.

However, Marc Zeller, founder of the representative Aave governance team Aave Chan Initiative (ACI) (who has announced he will leave Aave in July due to governance disagreements), offered a different perspective. Zeller initially advised users to quickly withdraw WETH from Aave V3 to avoid losses and confirmed that the USDC and USDT markets on Aave were unaffected. In response to another user's speculation that 'bad debt could reach hundreds of millions,' he stated: 'Far less than that figure.'

But Marc Zeller also mentioned that it was time to test Umbrella in a real production environment. Umbrella refers to Aave's automatic security module, essentially a pool of funds to handle bad debt. Users can deposit assets into it for higher incentives, but the pool also bears potential losses if the protocol incurs bad debt.

Aave protocol data shows that Umbrella currently holds approximately $50 million worth of WETH that could be used to address potential bad debt from this incident, but it is uncertain whether this will be sufficient to cover the shortfall.

Affected by this event, AAVE's price fell sharply by nearly 10%, trading at around 104.6 USDT at the time of writing.

Another Hundred-Million-Dollar Security Incident in April

This is not the first major security incident this month.

As early as April 1st, the Solana生态衍生品交易协议 Drift Protocol was attacked, losing up to $280 million (see 《April Fool's Joke? Drift Protocol Hacked for Over $280 Million, Possibly Becoming Solana's Second-Largest DeFi Heist》).

Afterwards, Drift Protocol directly blamed the hack on "North Korean hackers," but fortunately, institutions like Tether pledged $147.5 million for user compensation, giving users some hope for reimbursement.

Just over ten days later, another, larger hack occurred. How will this one be resolved?

Is There Any Safe Place Left in DeFi?

Security issues in DeFi are intensifying.

On one hand, there are continuous hacking incidents; on the other, there are persistent security threats posed by AI like Mythos (refer to 《Odaily Interview with Yu Xian: How Does the Leak of Anthropic's Nuclear-Grade New Model Affect Crypto Security Offense and Defense?》). For DeFi users, the previous countermeasure was to concentrate funds towards well-audited, reputable top-tier protocols. But now, even top-tier protocols like Aave, which retail users subconsciously considered extremely unlikely to have problems, are indirectly affected. Where can users move their funds?

Personally, it is currently not advisable for users to keep large amounts of funds on-chain. If there is a genuine need, please ensure proper diversification and isolation of positions.

As of writing, many details regarding this incident remain unclear. Odaily will continue to follow the developments. Please stay tuned.

Perguntas relacionadas

QWhat was the total value of rsETH stolen in the Kelp DAO attack?

AThe attack resulted in the loss of 116,500 rsETH, valued at approximately $292 million.

QWhich lending protocol did the hacker use to borrow WETH using the stolen rsETH as collateral?

AThe hacker used Aave V3, Compound V3, and Euler to borrow WETH, with Aave V3 accounting for the largest debt of $196 million.

QWhat was the suspected root cause of the Kelp DAO bridge contract exploit according to D2 Finance's analysis?

AThe root cause was identified as a compromise of the source chain private key, allowing the attacker to send a malicious message from a legitimate Kelp DAO endpoint contract.

QWhat mechanism does Aave have to cover potential bad debt from this incident, and how much capital is currently available in it?

AAave has an automatic security module called Umbrella, which currently holds about $50 million in WETH to cover potential bad debt, though it's uncertain if this will be sufficient.

QHow did Aave respond immediately after the attack was discovered?

AAave froze the rsETH markets on Aave V3 and V4 to prevent new deposits and collateralized borrowing, and announced they were assessing the situation and exploring ways to cover any resulting bad debt.

Leituras Relacionadas

Crypto Regulation: Polish Parliament Fails To Overturn Presidential Veto Again

Poland's Parliament has again failed to override President Karol Narcowski's veto of the Crypto Asset Market Act, which aimed to align national regulations with the EU's MICA framework. The vote fell short of the required majority, marking the second unsuccessful attempt to pass the legislation. The President has consistently opposed the bill, citing overregulation, ambiguity, and increased burdens on small businesses. Government ministers criticized the veto, with the Finance Minister warning that the lack of regulation fosters a risky environment for investors. Prime Minister Donald Tusk also accused Poland's largest crypto exchange, Zondacrypto, of having alleged ties to Russian intelligence and funding opposition politicians, linking these concerns to the legislative push. The government has vowed to continue its efforts to pass the bill.

bitcoinistHá 4m

Crypto Regulation: Polish Parliament Fails To Overturn Presidential Veto Again

bitcoinistHá 4m

Hong Kong Crypto Scam Shock: Woman Loses Nearly $1 Million As AI Fraud Surges

Hong Kong Crypto Scam Shock: Woman Loses Nearly $1 Million As AI Fraud Surges A Hong Kong woman lost HK$7.7 million (approximately $982,000) after being lured into a fraudulent cryptocurrency investment platform. The scam began on Telegram, where a person posing as an investment expert promoted an AI-powered trading strategy with guaranteed returns. After making 17 transfers of USDT and Ethereum, the victim was unable to withdraw her funds. Hong Kong Police have reported a significant surge in such online investment fraud, with over 80 cases recorded in a single week, totaling losses of nearly HK$80 million. Authorities warn that scammers are increasingly using sophisticated tactics, including promises of "AI trading" and "guaranteed profits," to appear credible. This follows a similar incident last month where a retiree lost HK$6.6 million in a multi-stage scam. Police urge the public to be cautious of unsolicited investment advice and to verify platforms through the official CyberDefender service before transferring any money. They emphasize that no legitimate investment can guarantee returns. Investigations are ongoing.

bitcoinistHá 4h

Hong Kong Crypto Scam Shock: Woman Loses Nearly $1 Million As AI Fraud Surges

bitcoinistHá 4h

a16z New Article: Prediction Markets Entering the Fast-Forward Phase

Prediction markets are evolving from niche tools focused on elections and sports into a broader financial infrastructure for pricing real-world uncertainty. Key shifts include: application expansion beyond sports into entertainment, macro, and CPI markets; the creation of direct price benchmarks for events (e.g., tariffs, Fed decisions), enabling precise hedging without correlated asset risks; and growing institutional adoption, though still early-stage. While sports drive volume, long-tail markets show faster growth. Current institutional use is primarily for data, but progression toward system integration and active trading is expected. Regulatory advancements, like margin trading, are critical for scaling. The market is transitioning toward an essential, institutional-grade tool, similar to the evolution of options markets.

marsbitHá 6h

a16z New Article: Prediction Markets Entering the Fast-Forward Phase

marsbitHá 6h

Kyrgyzstan President Meets Justin Sun, Tron Collaborates with Kyrgyzstan to Build a New Digital Economy Landscape in Central Asia

Justin Sun, founder of TRON, met with Kyrgyzstan President Sadyr Japarov in Bishkek to discuss digital financial transformation, virtual asset regulation, and TRON’s strategic expansion into Central Asia. This marks TRON's first major partnership in the region. President Japarov emphasized Kyrgyzstan’s goal to become a regional hub for virtual assets and Web3 technologies, aligning with TRON’s strengths in high-throughput, low-cost stablecoin infrastructure. Sun expressed TRON’s commitment to supporting this vision through concrete projects. Japarov also highlighted the work of the National Committee for Virtual Assets and Blockchain Development, which he chairs. The committee has advanced initiatives including exploring a national stablecoin, testing a CBDC, and developing a regulatory sandbox. The meeting underscores growing international interest in Kyrgyzstan’s digital economy strategy.

marsbitHá 6h

Kyrgyzstan President Meets Justin Sun, Tron Collaborates with Kyrgyzstan to Build a New Digital Economy Landscape in Central Asia

marsbitHá 6h

TechFlow Intelligence Bureau: KelpDAO Attack Causes Nearly $300 Million Loss, Triggers Aave Withdrawal Wave, RAVE Crashes 95% in a Single Day

China's AI firm DeepSeek is seeking external funding for the first time, with a valuation exceeding $10 billion, signaling intensifying competition and high R&D costs in the domestic large model sector. Meanwhile, OpenAI CEO Sam Altman faces scrutiny over potential conflicts of interest between his personal investments and OpenAI’s business ahead of a possible IPO. In Web3, KelpDAO suffered a $294 million attack due to forged cross-chain messages on LayerZero, leading to massive withdrawals from Aave and a resulting 18% drop in AAVE tokens. Separately, RAVE cryptocurrency collapsed by 95% in a single day amid suspected insider manipulation. Geopolitically, Iran is now demanding Bitcoin payments for transit through the Strait of Hormuz, reflecting both internal governmental discord and the growing adoption of crypto in tense regions. In semiconductors, Nvidia CEO Jensen Huang showed rare public frustration over questions regarding chip sales to China, while the industry faces renewed price hikes. Tesla continues expanding its Robotaxi service, and a Chinese humanoid robot outperformed humans in a half-marathon, marking a milestone in robotics. Despite Middle East tensions and market uncertainties, U.S. stocks continue to rise, prompting discussions about market optimism versus risk blindness. Overall, today’s developments highlight systemic vulnerabilities—in tech, finance, and geopolitics—while also showcasing innovation in crises.

marsbitHá 6h

TechFlow Intelligence Bureau: KelpDAO Attack Causes Nearly $300 Million Loss, Triggers Aave Withdrawal Wave, RAVE Crashes 95% in a Single Day

marsbitHá 6h

Trading

Spot
Futuros
活动图片

Categorias popularesright-arrow

Etiquetas Popularesright-arrow