DeFi Hacked Again, Losing $292 Million: Is Even Aave No Longer Safe?

Odaily星球日报Опубликовано 2026-04-18Обновлено 2026-04-18

Введение

On April 19, DeFi suffered another major security breach, with liquid staking protocol Kelp DAO losing approximately 116,500 rsETH (worth around $292 million) due to an exploit in its LayerZero-based bridge contract. The attack originated from a compromised private key on the source chain, allowing the hacker to initiate unauthorized transfer via a single validator. The attacker used the stolen rsETH as collateral on lending platforms including Aave, Compound, and Euler to borrow more liquid assets like wETH, resulting in over $236 million in debt—$196 million from Aave alone. Aave quickly froze its rsETH markets and announced it would explore covering potential bad debt through its Umbrella safety module, which holds about $50 million in WETH. This incident follows a $280 million exploit on Solana’s Drift Protocol earlier in April, raising further concerns about DeFi security. Even established protocols like Aave are now indirectly exposed, prompting warnings for users to diversify holdings and limit exposure to smart contract risks. Investigations are ongoing.

Original | Odaily Planet Daily (@OdailyChina)

Author | Azuma (@azuma_eth)

On April 19th, Beijing time, DeFi security suffered another major blow.

On-chain data shows that around 1:35 this morning, the rsETH bridge contract of Kelp DAO, the second-largest liquid staking protocol based on LayerZero, was suspected to be exploited by hackers, resulting in a loss of 116,500 rsETH, valued at approximately $292 million.

Further tracing the on-chain records, the attacker's address received 1 ETH in initial funds from the mixing protocol Tornado Cash about 10 hours before the incident. Subsequently, this address called the lzReceive function on the LayerZero EndpointV2 contract. This call triggered Kelp's bridge contract, transferring 116,500 rsETH to another attacker address.

About two and a half hours after the incident, Kelp DAO officially confirmed the attack on X: "Earlier today, we detected suspicious cross-chain activity involving rsETH. During the investigation, we have paused the rsETH contracts on the mainnet and multiple Layer 2s. Our auditors are working with security experts from LayerZero and Unichain to closely monitor the situation. We will keep you updated on the latest developments. Please follow official channels."

After the incident, various DeFi projects and security agencies analyzed the cause. An analysis by D2 Finance was frequently cited within the community — LayerZero Scan marked the source's counterpart as Kelp DAO, meaning the message came from a legitimately deployed endpoint contract by Kelp itself, and this path had previously recorded 308 message nonces. Therefore, the root cause of this attack was a "compromise of the source chain private key."

Steven Enamakel, a developer at TinyHumans AI, added that the contract was secured by only a 1/1 validator set (DVN), meaning a single erroneous transaction from the validator was enough to cause the issue.

Hacker Escapes via Aave, Suspected Bad Debt Incurred

Due to the limited trading liquidity of rsETH itself, the hacker's chosen escape strategy was to route through lending protocols like Aave, using the stolen rsETH as collateral to borrow more liquid wETH.

According to monitoring by PeckShield Alert, as of 4:30 this morning, the hacker's address had deposited the stolen rsETH into lending protocols including Aave V3, Compound V3, and Euler, borrowing a significant amount of WETH, with a total debt exceeding $236 million — of which Aave alone accounted for $196 million, Compound $39.4 million, and Euler only $840,000.

Following the incident, Aave promptly froze the rsETH market on Aave V3 and V4. The team subsequently issued an official statement on X: "Aave contracts have NOT been exploited. The exploit is related to rsETH. Freezing rsETH is to prevent new rsETH deposits and borrowing against rsETH collateral while the situation is assessed. We are reviewing the borrows of rsETH that occurred on Aave post-exploit and will share more details as soon as possible."

Shortly after the initial statement, Aave updated the post, adding: "Should the protocol accrue bad debt from this incident, we will explore avenues to cover the shortfall."

As of the time of writing, the specific amount of bad debt caused by this incident is still unclear.

monetsupply.eth, Head of Strategy at Aave's direct competitor Spark, stated that if rsETH experiences a 19% devaluation (the stolen amount represents 19% of the total rsETH supply), Aave could potentially incur over $100 million in bad debt due to highly leveraged recursive borrowing.

However, Marc Zeller, founder of the representative Aave governance team Aave Chan Initiative (ACI) (who has announced his departure from Aave in July due to governance disagreements), offered a different perspective. Zeller initially advised users to quickly withdraw WETH from Aave V3 to avoid losses and confirmed that the USDC and USDT markets on Aave were unaffected. In response to another user's speculation that "bad debt could reach hundreds of millions," he stated: "Far less than that figure."

But Marc Zeller also mentioned that it was time to test Umbrella in a real production environment. Umbrella refers to Aave's automatic safety module, essentially a pool of funds to handle bad debt. Users can deposit assets into it for higher incentives, but the pool also bears potential losses if the protocol incurs bad debt.

Aave protocol data shows that Umbrella currently holds approximately $50 million worth of WETH that could be used to address potential bad debt from this incident, but it is uncertain whether this will be sufficient to cover the shortfall.

Affected by this event, AAVE's price fell sharply by nearly 10% in the short term, trading at around 104.6 USDT at the time of writing.

Another Hundred-Million-Dollar Security Incident in April

This is not the first massive security incident this month.

As early as April 1st, the Solana ecosystem derivatives trading protocol Drift Protocol was attacked, losing up to $280 million (see 《April Fool's Joke? Drift Protocol Hacked for Over $280 Million, Possibly Becoming Solana Ecosystem's Second Largest DeFi Heist》).

Afterwards, Drift Protocol directly blamed "North Korean hackers" for the theft, but fortunately, institutions like Tether pledged $147.5 million for user compensation, giving users some hope for reimbursement.

Just over ten days later, another, even bigger hacking incident erupted. How will this one be resolved?

Is There Any Safe Place Left in DeFi?

Security issues in DeFi are intensifying.

On one hand, there are continuous hacking incidents; on the other, there are persistent security threats posed by AI like Mythos (refer to 《Odaily Interview with Yu Xian: How Does the Leak of Anthropic's Nuclear-Grade New Model Affect Crypto Security Offense and Defense?》). For DeFi users, the previous countermeasure was to concentrate funds towards well-audited, reputable top-tier protocols. But now, even a top-tier protocol like Aave, which retail users subconsciously considered extremely unlikely to have problems, is indirectly affected. Where can users move their funds?

Personally, it is currently not advisable to keep large amounts of funds on-chain. If there is a genuine need, please ensure proper diversification and isolation of positions.

As of the time of writing, many details about this incident remain unclear. Odaily will continue to follow the developments of the event. Please stay tuned.

Связанные с этим вопросы

QWhat was the total value of rsETH stolen in the Kelp DAO attack?

AThe attack resulted in the theft of 116,500 rsETH, valued at approximately $292 million.

QWhich lending protocol did the hacker use to borrow WETH using the stolen rsETH as collateral?

AThe hacker used Aave V3, Compound V3, and Euler to borrow WETH, with Aave V3 accounting for the largest debt of $196 million.

QWhat was identified as the root cause of the Kelp DAO bridge contract exploit?

AThe root cause was identified as a compromise of the source chain private key, allowing the attacker to send a malicious message from a legitimate Kelp-deployed endpoint contract.

QWhat is the name of Aave's automatic security module designed to cover potential bad debt, and how much WETH does it currently hold?

AAave's automatic security module is called Umbrella, and it currently holds approximately $50 million worth of WETH to cover potential bad debt from this incident.

QHow did Aave respond to the incident involving the hacker using its protocol?

AAave froze the rsETH market on its Aave V3 and V4 platforms to prevent new deposits and collateralized loans. The team also stated it would explore ways to cover any deficit if the protocol accumulated bad debt from the event.

Похожее

$292 Million KelpDAO Cross-Chain Bridge Hack: Who Should Foot the Bill?

On April 18, 2026, an attacker stole 116,500 rsETH (worth ~$292M) from KelpDAO’s cross-chain bridge in 46 minutes—the largest DeFi exploit of 2026. The stolen assets were deposited into Aave V3 as collateral, causing $177–200M in bad debt and triggering a cascade of losses across nine DeFi protocols. Aave’s TVL dropped by ~$6B overnight. This legal analysis argues that KelpDAO and LayerZero Labs share concurrent liability, with fault apportioned 60%/40%. KelpDAO negligently configured its bridge with a 1-of-1 decentralized verifier network (DVN)—a single point of failure—despite LayerZero’s explicit recommendation of a 2-of-3 setup. LayerZero, which operated the compromised DVN, failed to secure its RPC infrastructure against a known poisoning attack vector. Both protocols’ terms of service cap liability at $200 (KelpDAO) or $50 (LayerZero), but these limits are likely unenforceable due to unconscionability, gross negligence exceptions, and potential securities law invalidation (if rsETH is deemed a security under the Howey test). Aave’s governance also faces fiduciary duty claims for raising rsETH’s loan-to-value ratio to 93%—far above competitors’ 72–75%—without adequately assessing bridge risks, amplifying the systemic fallout. Practical recovery targets include LayerZero Labs (a registered Canadian entity), KelpDAO’s founders, auditors, and identifiable Aave governance delegates. The incident underscores escalating legal risks for DeFi protocols, infrastructure providers, and governance participants.

marsbit36 мин. назад

$292 Million KelpDAO Cross-Chain Bridge Hack: Who Should Foot the Bill?

marsbit36 мин. назад

Insider Trading in War: 5 People Involved, the Highest Earner Was Arrested

On April 24, the U.S. Department of Justice arrested U.S. Army Special Forces Staff Sergeant Gannon Ken Van Dyke for insider trading related to the capture of Venezuelan President Nicolás Maduro on January 3. Van Dyke allegedly profited over $400,000 by placing bets on a prediction market, Polymarket, using insider knowledge of the covert operation. According to the indictment, Van Dyke registered an account (0x31a5) on December 26 and made a series of bets predicting Maduro’s capture and U.S. military involvement in Venezuela. He withdrew most of his funds on the day of the operation and attempted to obscure his tracks by transferring assets through crypto and brokerage accounts. This case marks the first time the DOJ has prosecuted insider trading on Polymarket. PolyBeats had previously identified five suspicious accounts, including Van Dyke’s—the highest earner—in January. The other accounts, with profits ranging from $34,000 to $145,000, remain under unofficial scrutiny but have not been charged. Their lower profits, indirect access to information, and unclear legal boundaries may complicate prosecution. Polymarket has since strengthened its market integrity rules, explicitly prohibiting trading based on confidential or insider information. Van Dyke’s arrest, nearly four months after his trades, signals increased regulatory attention and the persistent traceability of blockchain-based transactions.

marsbit38 мин. назад

Insider Trading in War: 5 People Involved, the Highest Earner Was Arrested

marsbit38 мин. назад

Bitcoin HODLing Intensifies: LTH Supply Jumps 303,000 BTC

Bitcoin long-term holders (LTHs), defined as investors holding coins for over 155 days, have significantly increased their supply by 303,500 BTC over the past month, indicating a shift toward HODLing behavior. This contrasts with the net distribution observed in late 2025. Meanwhile, short-term holders and spot ETFs have seen reduced supply. However, the recent price rally to around $77,600 is primarily driven by futures market demand, not spot buying—a pattern to January's short-lived surge. Analysts warn of potential corrections if profit-taking occurs amid weak spot demand.

bitcoinist59 мин. назад

Bitcoin HODLing Intensifies: LTH Supply Jumps 303,000 BTC

bitcoinist59 мин. назад

Bitwise: Bullish on Bitcoin's Performance in the Second Half of the Year, AI and Regulation Will Spark a New Altcoin Season

Bitwise CIO Matt Hougan and Research Lead Ryan Rasmussen express strong bullish sentiment on Bitcoin's long-term prospects, suggesting that its $1 million price target may be too conservative. They argue Bitcoin serves a dual role: as digital gold and a potential global settlement asset, especially amid declining trust in traditional monetary systems. Despite a weak Q1 2026 where nearly all crypto assets and prices saw double-digit declines, the analysts remain optimistic due to strong forward-looking catalysts, including institutional adoption via Bitcoin ETFs from major firms like Morgan Stanley and Goldman Sachs. Geopolitical instability, such as Iran’s mention of using Bitcoin for international payments, increases the value of Bitcoin’s “out-of-the-money call option” as a non-political, global settlement currency. This enhances its appeal beyond a mere store of value. . Additionally, Hougan highlights that a clearer regulatory token framework under current SEC leadership, combined with AI efficiency gains and high-performance blockchains, could fuel a new “altseason” by late 2026. This may lead to a wave of legitimate, value-capturing token projects, unlike the earlier ICO boom. . Bitwise also announced an Avalanche ETF, citing its unique architecture and rapid growth in real-world asset (RWA) tokenization, which has surged 10x to nearly $30 billion in two years. The firm believes Layer 1 blockchains are still early in their growth cycle, with significant potential ahead.

marsbit1 ч. назад

Bitwise: Bullish on Bitcoin's Performance in the Second Half of the Year, AI and Regulation Will Spark a New Altcoin Season

marsbit1 ч. назад

Bitcoin Rally To Near $80K Fuels Sharp Sentiment Rebound Across Crypto Markets

Bitcoin's recent rally towards $80,000 has driven a significant rebound in crypto market sentiment, with the Fear & Greed Index jumping 14 points to 46—its highest level since January. Analysts note that over 300,000 BTC have shifted from short-term to long-term holders in the past month, signaling stronger investor conviction. However, the rally appears largely driven by perpetual futures speculation rather than spot market demand, raising concerns about sustainability. Retail participation also remains subdued, limiting further sentiment gains. While entities like Strategy (formerly MicroStrategy) continue accumulating BTC, weak spot interest could lead to a price correction if profit-taking occurs.

bitcoinist2 ч. назад

Bitcoin Rally To Near $80K Fuels Sharp Sentiment Rebound Across Crypto Markets