DeFi Hacked Again, Losing $292 Million: Is Even Aave No Longer Safe?

Odaily星球日报Опубліковано о 2026-04-18Востаннє оновлено о 2026-04-18

Анотація

On April 19, DeFi suffered another major security breach, with liquid staking protocol Kelp DAO losing approximately 116,500 rsETH (worth around $292 million) due to an exploit in its LayerZero-based bridge contract. The attack originated from a compromised private key on the source chain, allowing the hacker to initiate unauthorized transfer via a single validator. The attacker used the stolen rsETH as collateral on lending platforms including Aave, Compound, and Euler to borrow more liquid assets like wETH, resulting in over $236 million in debt—$196 million from Aave alone. Aave quickly froze its rsETH markets and announced it would explore covering potential bad debt through its Umbrella safety module, which holds about $50 million in WETH. This incident follows a $280 million exploit on Solana’s Drift Protocol earlier in April, raising further concerns about DeFi security. Even established protocols like Aave are now indirectly exposed, prompting warnings for users to diversify holdings and limit exposure to smart contract risks. Investigations are ongoing.

Original | Odaily Planet Daily (@OdailyChina)

Author | Azuma (@azuma_eth)

On April 19th, Beijing time, DeFi security suffered another major blow.

On-chain data shows that around 1:35 this morning, the rsETH bridge contract of Kelp DAO, the second-largest liquid staking protocol based on LayerZero, was suspected to be exploited by hackers, resulting in a loss of 116,500 rsETH, valued at approximately $292 million.

Further tracing the on-chain records, the attacker's address received 1 ETH in initial funds from the mixing protocol Tornado Cash about 10 hours before the incident. Subsequently, this address called the lzReceive function on the LayerZero EndpointV2 contract. This call triggered Kelp's bridge contract, transferring 116,500 rsETH to another attacker address.

About two and a half hours after the incident, Kelp DAO officially confirmed the attack on X: "Earlier today, we detected suspicious cross-chain activity involving rsETH. During the investigation, we have paused the rsETH contracts on the mainnet and multiple Layer 2s. Our auditors are working with security experts from LayerZero and Unichain to closely monitor the situation. We will keep you updated on the latest developments. Please follow official channels."

After the incident, various DeFi projects and security agencies analyzed the cause. An analysis by D2 Finance was frequently cited within the community — LayerZero Scan marked the source's counterpart as Kelp DAO, meaning the message came from a legitimately deployed endpoint contract by Kelp itself, and this path had previously recorded 308 message nonces. Therefore, the root cause of this attack was a "compromise of the source chain private key."

Steven Enamakel, a developer at TinyHumans AI, added that the contract was secured by only a 1/1 validator set (DVN), meaning a single erroneous transaction from the validator was enough to cause the issue.

Hacker Escapes via Aave, Suspected Bad Debt Incurred

Due to the limited trading liquidity of rsETH itself, the hacker's chosen escape strategy was to route through lending protocols like Aave, using the stolen rsETH as collateral to borrow more liquid wETH.

According to monitoring by PeckShield Alert, as of 4:30 this morning, the hacker's address had deposited the stolen rsETH into lending protocols including Aave V3, Compound V3, and Euler, borrowing a significant amount of WETH, with a total debt exceeding $236 million — of which Aave alone accounted for $196 million, Compound $39.4 million, and Euler only $840,000.

Following the incident, Aave promptly froze the rsETH market on Aave V3 and V4. The team subsequently issued an official statement on X: "Aave contracts have NOT been exploited. The exploit is related to rsETH. Freezing rsETH is to prevent new rsETH deposits and borrowing against rsETH collateral while the situation is assessed. We are reviewing the borrows of rsETH that occurred on Aave post-exploit and will share more details as soon as possible."

Shortly after the initial statement, Aave updated the post, adding: "Should the protocol accrue bad debt from this incident, we will explore avenues to cover the shortfall."

As of the time of writing, the specific amount of bad debt caused by this incident is still unclear.

monetsupply.eth, Head of Strategy at Aave's direct competitor Spark, stated that if rsETH experiences a 19% devaluation (the stolen amount represents 19% of the total rsETH supply), Aave could potentially incur over $100 million in bad debt due to highly leveraged recursive borrowing.

However, Marc Zeller, founder of the representative Aave governance team Aave Chan Initiative (ACI) (who has announced his departure from Aave in July due to governance disagreements), offered a different perspective. Zeller initially advised users to quickly withdraw WETH from Aave V3 to avoid losses and confirmed that the USDC and USDT markets on Aave were unaffected. In response to another user's speculation that "bad debt could reach hundreds of millions," he stated: "Far less than that figure."

But Marc Zeller also mentioned that it was time to test Umbrella in a real production environment. Umbrella refers to Aave's automatic safety module, essentially a pool of funds to handle bad debt. Users can deposit assets into it for higher incentives, but the pool also bears potential losses if the protocol incurs bad debt.

Aave protocol data shows that Umbrella currently holds approximately $50 million worth of WETH that could be used to address potential bad debt from this incident, but it is uncertain whether this will be sufficient to cover the shortfall.

Affected by this event, AAVE's price fell sharply by nearly 10% in the short term, trading at around 104.6 USDT at the time of writing.

Another Hundred-Million-Dollar Security Incident in April

This is not the first massive security incident this month.

As early as April 1st, the Solana ecosystem derivatives trading protocol Drift Protocol was attacked, losing up to $280 million (see 《April Fool's Joke? Drift Protocol Hacked for Over $280 Million, Possibly Becoming Solana Ecosystem's Second Largest DeFi Heist》).

Afterwards, Drift Protocol directly blamed "North Korean hackers" for the theft, but fortunately, institutions like Tether pledged $147.5 million for user compensation, giving users some hope for reimbursement.

Just over ten days later, another, even bigger hacking incident erupted. How will this one be resolved?

Is There Any Safe Place Left in DeFi?

Security issues in DeFi are intensifying.

On one hand, there are continuous hacking incidents; on the other, there are persistent security threats posed by AI like Mythos (refer to 《Odaily Interview with Yu Xian: How Does the Leak of Anthropic's Nuclear-Grade New Model Affect Crypto Security Offense and Defense?》). For DeFi users, the previous countermeasure was to concentrate funds towards well-audited, reputable top-tier protocols. But now, even a top-tier protocol like Aave, which retail users subconsciously considered extremely unlikely to have problems, is indirectly affected. Where can users move their funds?

Personally, it is currently not advisable to keep large amounts of funds on-chain. If there is a genuine need, please ensure proper diversification and isolation of positions.

As of the time of writing, many details about this incident remain unclear. Odaily will continue to follow the developments of the event. Please stay tuned.

Пов'язані питання

QWhat was the total value of rsETH stolen in the Kelp DAO attack?

AThe attack resulted in the theft of 116,500 rsETH, valued at approximately $292 million.

QWhich lending protocol did the hacker use to borrow WETH using the stolen rsETH as collateral?

AThe hacker used Aave V3, Compound V3, and Euler to borrow WETH, with Aave V3 accounting for the largest debt of $196 million.

QWhat was identified as the root cause of the Kelp DAO bridge contract exploit?

AThe root cause was identified as a compromise of the source chain private key, allowing the attacker to send a malicious message from a legitimate Kelp-deployed endpoint contract.

QWhat is the name of Aave's automatic security module designed to cover potential bad debt, and how much WETH does it currently hold?

AAave's automatic security module is called Umbrella, and it currently holds approximately $50 million worth of WETH to cover potential bad debt from this incident.

QHow did Aave respond to the incident involving the hacker using its protocol?

AAave froze the rsETH market on its Aave V3 and V4 platforms to prevent new deposits and collateralized loans. The team also stated it would explore ways to cover any deficit if the protocol accumulated bad debt from the event.

Пов'язані матеріали

After 50x Storage Surge, Justin Sun Always Looks to the Next Decade

Sun Yuchen, known for his controversial stunts like a $30 million lunch with Warren Buffett (canceled due to a kidney stone) and eating a $6.2 million duct-taped banana, is often overshadowed by a significant fact: his decade-long track record of spotting major investment trends. In 2016, he famously advised young people to invest in Bitcoin, Nvidia, Tesla, and Tencent instead of buying property. A hypothetical $20,000 investment in Nvidia and Tesla from that list would now be worth over 50 million RMB. His latest major call was on November 6, 2025, predicting a "50x storage opportunity" tied to the AI boom, which materialized with Sandisk's stock surging nearly 50-fold by 2026. Looking ahead, Sun now focuses on the next frontier: Physical AI. He identifies four key areas: 1. **Embodied AI/Robotics**: He sees this reaching its "iPhone moment," with companies like UBTech and Galaxy General leading in commercialization. 2. **Drones**: Viewed as the first commercially viable form of Physical AI, revolutionizing sectors from warfare (e.g., AeroVironment's Switchblade) to logistics. 3. **Spatial Computing**: Beyond VR, it's about AI understanding physical space, a foundational technology for robotics and autonomous systems, exemplified by Apple's Vision Pro. 4. **Space Exploration**: After a 2025 suborbital flight with Blue Origin, Sun advocates for space as the ultimate frontier, discussing blockchain's potential role in space asset management and data transactions. His investment philosophy involves betting on entire, inevitable trends rather than single companies. For robotics, he sees Tesla (the body/manufacturer) and Nvidia (the brain/AI platform) as complementary plays. In defense drones, he highlights companies making tanks obsolete (AeroVironment) and those augmenting fighter jets (Kratos). For space, he participated in Blue Origin's flight and anticipates SpaceX's potential IPO to redefine the sector's valuation. Sun Yuchen's vision frames the next two decades not as a revolution in information flow (like the internet), but in the fundamental operation of the physical world through AI-powered robots, autonomous systems, and spatial intelligence, ultimately extending human and AI activity into space. While many still focus on conventional assets, he continues to look toward the next technological horizon.

marsbit38 хв тому

After 50x Storage Surge, Justin Sun Always Looks to the Next Decade

marsbit38 хв тому

The Billionaires Behind the Most Expensive Midterm Election in History

"The Most Expensive Midterm Elections and Their Billionaire Backers" This analysis details the unprecedented scale of spending in the 2026 midterm elections, highlighting the key billionaire donors shaping the political landscape. Jeff Yass, founder of Susquehanna International Group, has contributed over $81 million, ranking third among individual donors behind George Soros ($102.6M) and Elon Musk ($84.8M). Yass is a major donor to Trump's MAGA Inc. and supports school choice and various candidates. Overall, federal committees have raised over $4.7 billion this cycle, with political ad spending projected to reach $10.8 billion. Republican-aligned groups are significantly out-raising their Democratic counterparts. "Dark money" from undisclosed sources continues to grow. The core stakes involve control of Congress and policy direction for Trump's final term. Donors are also motivated by specific issues: Sergey Brin and Chris Larsen are funding opposition to a proposed California wealth tax and supporting crypto-friendly policies. Other top donors include OpenAI's Greg Brockman and his wife Anna ($50M total to MAGA Inc. and an AI-focused PAC), Richard Uihlein ($45.3M to conservative causes), venture capitalists Marc Andreessen and Ben Horowitz (each over $44M to crypto/AI PACs and MAGA Inc.), Miriam Adelson ($42.6M to GOP leadership PACs), Paul Singer ($33.9M), and Diane Hendricks ($25.8M to MAGA Inc.). The article notes that the peak fundraising period is still ahead, with major primaries approaching.

marsbit41 хв тому

The Billionaires Behind the Most Expensive Midterm Election in History

marsbit41 хв тому

The Largest IPO in History Is Approaching, Surpassing SpaceX, 28 Years of AI Self-Iteration, Countdown to Intelligence Explosion

"Anthropic Nears Trillion-Dollar IPO, Fueled by Explosive Growth and 2028 'Intelligence Explosion' Warning Anthropic is considering a deal valuing the AI company near $1 trillion, potentially leading to one of the largest IPOs ever and surpassing SpaceX. Its revenue has skyrocketed, with Annual Recurring Revenue (ARR) reaching $45 billion in May 2026—a 500% increase in just five months. This vertical growth curve is attributed to its key products, Claude Code and Cowork, dominating AI coding and enterprise collaboration. Beyond commercial success, co-founder Jack Clark issued a pivotal warning in an interview: there is a greater than 50% chance that by the end of 2028, AI systems will achieve recursive self-improvement—the ability to autonomously build a 'better version' of themselves, initiating an 'intelligence explosion.' This prophecy underpins the company's astronomical valuation, as the market prices in the potential for transformative and disruptive AI. Further signaling its ambition, Anthropic formed a $1.5 billion joint venture with Goldman Sachs and Blackstone, aiming to disrupt traditional consulting firms like McKinsey by deploying Claude AI for complex strategic work. This move tests AI's capacity to replace high-level cognitive labor, a precursor to its predicted autonomous evolution. The narrative presents a dual future: unprecedented economic opportunity alongside significant risks like economic restructuring and security threats. Anthropic's meteoric rise and Clark's 2028 prediction frame the coming years as a countdown to a potential technological singularity."

marsbit52 хв тому

The Largest IPO in History Is Approaching, Surpassing SpaceX, 28 Years of AI Self-Iteration, Countdown to Intelligence Explosion

marsbit52 хв тому

The Exquisite Self-Interest of Former OpenAI CTO Murati: Personally Handing Over the Knife and Then Being the First to Seek Reconciliation

Court documents from Elon Musk's lawsuit reveal OpenAI's former CTO, Mira Murati, played a central and seemingly self-interested role in Sam Altman's November 2023 ouster and reinstatement. As early as 2022, she complained to Altman about his shifting priorities and pressure to prioritize revenue. By 2023, she privately supplied co-founder Ilya Sutskever with extensive internal evidence against Altman, which became a key 52-page memo for the board. She was appointed interim CEO after Altman's firing and informed Microsoft. However, text messages show Murati simultaneously relayed the board's stance to Altman while secretly urging Microsoft's CEO to help reverse the decision. Once employee backlash mounted, she refused to publicly defend the board's move she helped engineer. She then became the first signatory on the employee petition demanding the board resign and reinstate Altman. A former board member testified Murati was "waiting to see which way the wind blew," not realizing "she herself was the wind." The evidence depicts her actions as consistently aligning with her own interests throughout the crisis.

marsbit58 хв тому

The Exquisite Self-Interest of Former OpenAI CTO Murati: Personally Handing Over the Knife and Then Being the First to Seek Reconciliation

marsbit58 хв тому

AI Inference Bills Soar, Shopify and Roblox Warn: Savings from Layoffs Not Enough to Cover Chip Costs

The 2026 Q1 earnings season reveals a paradox: while AI helps companies freeze hiring and boost productivity, the soaring costs of AI inference—token consumption and GPU depreciation—are eroding savings from workforce reductions. Shopify reported that AI now writes over 50% of its code, enabling significant output with stable headcount. However, LLM costs, driven by heavy usage of its AI assistant Sidekick, are pressuring its subscription毛利率. Similarly, Roblox attributed a quarter of its full-year利润率下调 to increased AI investment. The article highlights a broader industry imbalance: combined AI capital expenditure for Amazon, Meta, Microsoft, and Google is projected to reach $725 billion in 2026, vastly outpacing potential savings from layoffs. For instance, Meta's planned裁员 would save about $2.4 billion annually, offsetting only ~12% of its incremental AI depreciation. While底层 model and chip suppliers like NVIDIA maintain high profitability, application-layer companies face a pricing squeeze. Their strategies now involve要么 tightly linking AI costs to user engagement (like Shopify) or introducing fees for advanced AI features (like Roblox), as covering AI bills with裁员 savings alone is financially unsustainable.

marsbit1 год тому

AI Inference Bills Soar, Shopify and Roblox Warn: Savings from Layoffs Not Enough to Cover Chip Costs

marsbit1 год тому

Торгівля

Спот

Ф'ючерси