# Сопутствующие статьи по теме Exploit

Новостной центр HTX предлагает последние статьи и углубленный анализ по "Exploit", охватывающие рыночные тренды, новости проектов, развитие технологий и политику регулирования в криптоиндустрии.

Kelp DAO Hack: Aave DAO Proposes To Contribute 25,000 ETH To Recovery Efforts

Aave DAO has proposed contributing 25,000 ETH from its treasury to a coordinated recovery effort following a major exploit on Kelp DAO. The attack, which occurred on April 18, targeted Kelp's rsETH Ethereum LayerZero adapter, resulting in a loss of approximately 163,183 ETH. Through frozen assets, recovered funds, and expected liquidations, over half the deficit has been covered, but a gap of roughly 75,081 ETH remains. A coalition named "DeFi United," including pledges from EtherFi, Lido, Ethena, and a credit line from Mantle, is mobilizing to restore the system. Aave's anchored contribution is a key part of this effort to reintroduce liquidity and fully back the affected tokens.

bitcoinist04/25 15:02

Kelp DAO Hack: Aave DAO Proposes To Contribute 25,000 ETH To Recovery Efforts

bitcoinist04/25 15:02

Contract Audit Passed, Thermometer Did Not: Polymarket's 'Physical Vulnerability' Moment

According to reports, an individual manipulated temperature sensors at Paris Charles de Gaulle Airport (LFPG) on April 6th and 15th, causing brief, anomalous spikes of over 3°C. These events were allegedly orchestrated to profit from corresponding low-probability bets on the prediction market Polymarket, turning a small investment into approximately $34,000. The French national meteorological service, Météo-France, filed a criminal lawsuit after discovering signs of physical tampering. The attack required minimal technical skill; the perpetrator reportedly used a battery-powered hairdryer to briefly heat the publicly accessible sensor. Polymarket’s market for Paris temperature settles based on the day's highest recorded temperature from a data chain that runs from the physical sensor to Météo-France, to Weather Underground, and finally to its smart contract. In response, Polymarket did not void the profits or make an official statement. It silently changed the data source for its Paris market from LFPG to Le Bourget Airport (LFPB), a location with similarly unprotected sensors. This incident highlights a critical vulnerability: while the smart contracts are audited and secure, the physical data sources feeding them remain exposed and easy to manipulate.

marsbit04/23 04:39

Contract Audit Passed, Thermometer Did Not: Polymarket's 'Physical Vulnerability' Moment

marsbit04/23 04:39

After AAVE Was Hit, What Did Spark Do Right to Attract $1.3 Billion Against the Trend?

Amid a $15.1 billion liquidity crisis at Aave triggered by a cross-chain vulnerability involving rsETH, which led to $200 million in bad debt, Spark Protocol emerged as a safe haven, attracting $1.3 billion in inflows. Spark’s TVL surged to $4.74 billion, with ETH deposit rates spiking to 130% due to high demand and scarce liquidity. Spark’s resilience stemmed from its conservative governance and multi-layered risk framework. Unlike Aave, which aggressively listed rsETH to boost capital efficiency, Spark had proactively delisted the asset months earlier, avoiding exposure. The protocol employs strict rate-limited caps, higher interest rate buffers, and a modular isolation architecture to mitigate risks. These measures prevent over-concentration, ensure liquidity during stress, and attract arbitrage capital during high utilization. The shift from Aave to Spark signals a market preference for security over yield, underscoring the importance of disciplined risk management in DeFi.

marsbit04/22 11:51

After AAVE Was Hit, What Did Spark Do Right to Attract $1.3 Billion Against the Trend?

marsbit04/22 11:51

Cardano Founder Warns KelpDAO Hack Exposes Ethereum’s Weakest Link

Cardano founder Charles Hoskinson argues that the $292 million KelpDAO exploit reveals a critical systemic flaw in Ethereum's DeFi ecosystem, rather than just a simple bridge failure. He emphasizes that the core issue was not a smart contract vulnerability, but a failure in cross-chain message verification. Specifically, a single-verifier setup allowed a forged message to be accepted, leading to the theft of 116,500 rsETH. Hoskinson warns that the attack’s true danger emerged when the stolen assets were used as collateral in lending markets, creating widespread bad debt contagion and triggering a liquidity crisis that caused up to $13 billion in withdrawals across multiple protocols. He calls for a broader industry discussion on bridge security and verifier design to prevent similar systemic risks.

bitcoinist04/22 06:33

Cardano Founder Warns KelpDAO Hack Exposes Ethereum’s Weakest Link

bitcoinist04/22 06:33

Arbitrum Freezes $71M ETH Linked to Kelp Hack, Sparks Decentralization Debate

Arbitrum, an Ethereum layer-2 blockchain, froze 30,766 ETH (worth over $71.2 million) linked to the recent Kelp protocol exploit. The freeze was executed by a 12-member security council appointed by the Arbitrum community, moving the funds to an intermediary wallet accessible only through further governance action. The hack, which occurred on Saturday, resulted in at least $293 million in losses and was attributed to North Korea by LayerZero. The incident has reignited debates about decentralization, as some critics argue such freezes contradict blockchain’s core principles, while others support them for security. The council reportedly spent hours deliberating the decision, which was approved by 9 of its 12 members.

TheNewsCrypto04/21 09:05

Arbitrum Freezes $71M ETH Linked to Kelp Hack, Sparks Decentralization Debate

TheNewsCrypto04/21 09:05

LayerZero Breaks Silence On $290 Million KelpDAO Crypto Exploit

LayerZero has addressed the $290 million exploit affecting KelpDAO's rsETH, asserting it was not a protocol failure but a result of KelpDAO's decision to use a single-DVN (Decentralized Verifier Network) configuration. The company claims the attack was isolated to this specific setup and confirms no contagion risk to other assets or applications. Preliminary analysis suggests the attack was executed by a sophisticated state actor, likely North Korea's Lazarus Group. The method involved poisoning RPC infrastructure used by the LayerZero Labs DVN, swapping binaries on compromised nodes, and using DDoS attacks to force traffic to the malicious infrastructure. However, LayerZero states its least-privilege principles prevented a direct compromise. The exploit was only possible due to KelpDAO's 1-of-1 verifier setup, which contradicts LayerZero's recommended multi-DVN redundancy model. A properly configured system with multiple independent DVNs would have prevented the attack. LayerZero has deprecated affected nodes, restored its DVN, and will no longer support 1/1 configurations. Aave has frozen rsETH and WETH reserves on its platforms as a precaution while confirming rsETH on Ethereum mainnet remains fully backed.

bitcoinist04/20 15:01

LayerZero Breaks Silence On $290 Million KelpDAO Crypto Exploit

bitcoinist04/20 15:01

The $290 Million Deficit: A Three-Way Game Between Aave, L0, and Kelp—Who Should Foot the Bill?

An incident involving the theft of 116,500 rsETH (worth approximately $290 million) from Kelp DAO’s cross-chain bridge contract has triggered a complex dispute over responsibility and compensation among Kelp DAO, LayerZero, and Aave. The attack occurred due to a compromised RPC provider used by LayerZero’s Decentralized Verifier Network (DVN). Since Kelp DAO’s bridge used a 1/1 DVN configuration—a single point of failure—the attacker successfully forged a cross-chain message, leading to the unauthorized release of rsETH tokens from the mainnet. These genuine tokens were then deposited into Aave and other lending platforms to borrow WETH, enabling the attacker to exit with the funds. Responsibility is attributed primarily to Kelp DAO for its risky 1/1 DVN setup. LayerZero bears secondary responsibility for permitting such a vulnerable configuration in its protocol layer. Aave also shares indirect blame for over-collateralizing rsETH and other Liquid Restaking Token (LRT) assets without adequate ongoing risk oversight. Kelp DAO lacks sufficient funds to cover the loss, shifting focus to the deeper-pocketed players: LayerZero, whose cross-chain ecosystem and reputation are at risk, and Aave, which faces massive bad loans and declining Total Value Locked (TVL). Aave has asserted that mainnet rsETH remains fully backed, implying it expects Kelp DAO to allow redemption of underlying ETH. This approach would preserve Aave’s mainnet positions but invalidate Layer2 rsETH, damaging LayerZero’s cross-chain credibility. Potential solutions include: - A universal 18.5% haircut on all rsETH holders, causing significant Aave bad debt. - Writing off Layer2 rsETH entirely, protecting Aave mainnet but harming LayerZero and Kelp DAO. - Negotiating a bounty with the hacker for partial fund return. - A joint bailout, possibly led by LayerZero’s ecosystem fund, given its long-term stake in the cross-chain ecosystem. The situation remains unresolved as the parties negotiate, but prolonged delay risks broader DeFi instability, including potential liquidity crises and loss of confidence in LRT and cross-chain infrastructures.

Odaily星球日报04/20 08:52

The $290 Million Deficit: A Three-Way Game Between Aave, L0, and Kelp—Who Should Foot the Bill?

Odaily星球日报04/20 08:52

Kelp DAO Suffers $292 Million rsETH Exploit – Details

Kelp DAO has suffered a major cross-chain exploit resulting in the loss of approximately 116,500 rsETH, valued at nearly $292 million. The attack targeted a vulnerability in the protocol's cross-chain bridge mechanism, specifically through LayerZero’s EndpointV2. On-chain investigator ZachXBT first identified the breach, noting that the attacker used Tornado Cash to conceal funding sources. In response, Kelp DAO immediately paused all rsETH contracts across mainnet and Layer-2 networks, preventing two additional attempts to drain another $100 million in assets. The protocol is collaborating with LayerZero and Unichain for a full investigation. The incident has impacted the broader DeFi ecosystem, leading Aave to freeze rsETH markets on its V3 and V4 deployments as a precaution, though its own contracts remain secure. The stolen rsETH represents around 18% of its circulating supply, significantly damaging liquidity and user confidence.

bitcoinist04/19 22:33

Kelp DAO Suffers $292 Million rsETH Exploit – Details

bitcoinist04/19 22:33

DeFi Hacked Again for $292 Million, Is Even Aave No Longer Safe?

On April 19, a major DeFi security breach occurred, resulting in the loss of approximately $292 million. The attack targeted Kelp DAO’s rsETH bridge contract built on LayerZero, with 116,500 rsETH stolen. The attacker initiated the exploit using funds from Tornado Cash and manipulated the LayerZero EndpointV2 contract to transfer the assets. Kelp DAO confirmed the incident and temporarily paused rsETH contracts across multiple networks while collaborating with security experts for investigation. Initial analysis suggests the root cause was a compromised private key on the source chain, with the contract secured by only a 1/1 validator set, making it vulnerable to a single malicious transaction. The attacker used the stolen rsETH as collateral on lending platforms—including Aave, Compound, and Euler—to borrow more liquid assets like WETH, accumulating over $236 million in debt. Aave alone accounted for $196 million of this amount. In response, Aave froze its rsETH markets and stated it would explore covering potential bad debt through its Umbrella safety module, which holds around $50 million in WETH. This incident follows another large exploit earlier in April, where Drift Protocol on Solana lost $280 million. The repeated high-value attacks raise concerns about DeFi security, even affecting major protocols like Aave. Users are advised to exercise caution, diversify holdings, and limit exposure to on-chain protocols until more robust security measures are established.

marsbit04/18 23:31

DeFi Hacked Again for $292 Million, Is Even Aave No Longer Safe?

marsbit04/18 23:31

DeFi Hacked Again, Losing $292 Million: Is Even Aave No Longer Safe?

On April 19, DeFi suffered another major security breach, with liquid staking protocol Kelp DAO losing approximately 116,500 rsETH (worth around $292 million) due to an exploit in its LayerZero-based bridge contract. The attack originated from a compromised private key on the source chain, allowing the hacker to initiate unauthorized transfer via a single validator. The attacker used the stolen rsETH as collateral on lending platforms including Aave, Compound, and Euler to borrow more liquid assets like wETH, resulting in over $236 million in debt—$196 million from Aave alone. Aave quickly froze its rsETH markets and announced it would explore covering potential bad debt through its Umbrella safety module, which holds about $50 million in WETH. This incident follows a $280 million exploit on Solana’s Drift Protocol earlier in April, raising further concerns about DeFi security. Even established protocols like Aave are now indirectly exposed, prompting warnings for users to diversify holdings and limit exposure to smart contract risks. Investigations are ongoing.

Odaily星球日报04/18 23:24

DeFi Hacked Again, Losing $292 Million: Is Even Aave No Longer Safe?