DeFi Hacked Again for $292 Million, Is Even Aave No Longer Safe?

Author｜Azuma (@azuma_eth)

On April 19th, Beijing time, DeFi security suffered another major blow.

On-chain data shows that around 1:35 AM this morning, the rsETH bridge contract of the second-largest liquid staking protocol, Kelp DAO, based on LayerZero, was suspected to have been exploited by hackers, resulting in a loss of 116,500 rsETH, valued at approximately $292 million.

Further tracing the on-chain records reveals that the attacker’s address received an initial funding of 1 ETH from the mixing protocol Tornado Cash about 10 hours before the incident. Subsequently, this address called the `lzReceive` function on the LayerZero EndpointV2 contract. This call triggered Kelp’s bridge contract, transferring 116,500 rsETH to another attacker-controlled address.

Approximately two and a half hours after the incident, Kelp DAO officially confirmed the attack on X: “Earlier today, we detected suspicious cross-chain activity involving rsETH. While investigating, we have paused the rsETH contracts on Mainnet and multiple Layer 2s. Our auditors are working with security experts from LayerZero and Unichain and are closely monitoring the situation. We will keep you updated, please follow official channels.”

Following the incident, various DeFi projects and security agencies analyzed the cause. An analysis by D2 Finance was widely cited within the community — LayerZero Scan marked the source counterparty as Kelp DAO, indicating the message originated from a legitimately deployed counterparty contract by Kelp itself, and this path had 308 prior message nonce records. Therefore, the root cause of this attack lies in “the compromise of the source chain’s private key.”

Steven Enamakel, a developer at TinyHumans AI, added that the contract was secured by only a 1/1 validator set (DVN), meaning a single erroneous transaction from the validator was sufficient to cause the issue.

Hacker Escapes via Aave, Suspected Bad Debt Incurred

Due to the limited trading liquidity of rsETH itself, the hacker’s chosen escape strategy was to route through lending protocols like Aave, using the stolen rsETH as collateral to borrow wETH, which has better trading liquidity.

Monitoring by PeckShield Alert shows that as of 4:30 AM this morning, the hacker’s address had deposited the stolen rsETH into lending protocols including Aave V3, Compound V3, and Euler, borrowing a large amount of WETH, with a total debt exceeding $236 million — of which Aave alone accounted for $196 million, Compound $39.4 million, and Euler only $840,000.

After the incident, Aave promptly froze the rsETH markets on Aave V3 and V4. The team later issued an official statement on X: “Aave contracts have not been exploited. The exploit is related to rsETH. Freezing rsETH is to prevent new rsETH deposits and borrowing against it while the situation is assessed. We are reviewing the rsETH borrows that occurred on Aave post-exploit and will share more details as soon as possible.”

Shortly after the initial statement, Aave updated the post, adding at the end: “If the protocol accrues bad debt from this event, we will explore avenues to cover the deficit.“

لکھنے کے وقت تک، the specific amount of bad debt caused by this incident remains unclear.

monetsupply.eth, Head of Strategy at Aave’s direct competitor Spark, stated that if rsETH experiences a 19% discount (the stolen amount represents 19% of rsETH’s total supply), Aave could incur over $100 million in bad debt due to highly leveraged recursive borrowing.

However, Marc Zeller, founder of the representative Aave governance group Aave Chan Initiative (ACI) (who has announced his departure from Aave in July due to governance disagreements), offered a different perspective. Initially, Zeller advised users to withdraw WETH from Aave V3 as soon as possible to avoid losses and confirmed that the USDC and USDT markets on Aave were unaffected. In response to another user’s speculation that “bad debt could reach hundreds of millions,” he stated: “Far less than that.”

But Marc Zeller also mentioned that it’s time to test Umbrella in a real production environment. Umbrella refers to Aave’s automated safety module, essentially a capital pool designed to handle bad debt. Users can deposit assets into it for higher incentives, but the pool also bears potential losses when the protocol incurs bad debt.

Aave protocol data shows that the Umbrella currently holds approximately $50 million worth of WETH that could be used to address potential bad debt from this incident, but it’s uncertain if this will be sufficient to cover the shortfall.

Affected by this event, AAVE’s price briefly plummeted nearly 10%, currently trading at around 104.6 USDT at the time of writing.

Another Hundred-Million-Dollar Security Incident in April

This is not the first massive security incident this month.

As early as April 1st, the Solana ecosystem derivatives trading protocol Drift Protocol was attacked, suffering losses as high as $280 million (see “An April Fool’s Joke? Drift Protocol Loses Over $280M, Potentially Becoming Solana’s Second-Largest DeFi Heist“).

Afterwards, Drift Protocol directly blamed “North Korean hackers” for the theft. Fortunately, institutions like Tether have pledged $147.5 million for user compensation, giving users some hope for reimbursement.

Just over ten days later, another, even larger-scale hack has erupted. How will this one be resolved?

Is There Any Safe Place Left in DeFi?

Security issues in DeFi are intensifying.

On one side, there are continuous hacking incidents; on the other, there are persistent security threats posed by AI like Mythos (refer to “Odaily Interview with Yu Xian: How Does the Leak of Anthropic’s Nuclear-Grade New Model Affect Crypto Security Offense and Defense?“). For DeFi users, the previous coping strategy was to concentrate funds in well-audited, reputable top-tier protocols. But now, even top-tier protocols like Aave, which retail users subconsciously consider extremely unlikely to have problems, have been indirectly affected. Where can users move their funds?

Personally speaking, it’s currently not advisable for users to keep large amounts of funds on-chain. If there is a genuine need, please ensure proper diversification and isolation of positions.

As of the time of writing, many details regarding this incident remain unclear. Odaily will continue to follow the developments. Please stay tuned.

یہ مضمون انٹرنیٹ سے لیا گیا ہے: DeFi Hacked Again for $292 Million, Is Even Aave No Longer Safe?

Related: ETF Outflows $4.5 Billion: Will BTC Drop Another 30% in the Next 3 Months?

The article cross-validates using three sets of data from Glassnode, Santiment, and CryptoQuant, proposing three future scenarios, providing a suitable reference framework for judging BTC’s current trajectory. The full text is as follows: Bitcoin’s network activity has been weakening for six consecutive months, but this trend is not reflected in the core metrics that many traders first look at. The clearer signal is not trading volume—which has remained largely stable—but the breadth of participation. Even as the network continues to process a similar number of transactions, the number of active on-chain addresses has been steadily declining. In a market where price discovery increasingly occurs on ETFs and derivatives, this split is crucial. It means: Bitcoin’s on-chain footprint is narrowing, while market exposure remains active elsewhere. As the bear market persists,…