Original article | Odaily Odaily( @OdailyChina )
Author|Azuma ( @azuma_eth )
On April 19th, Beijing time, DeFi security suffered another major blow.
On-chain data shows that around 1:35 this morning, the rsETH bridge contract based on LayerZero of Kelp DAO, the second largest liquid staking protocol, was suspected of being exploited by hackers, resulting in the loss of 116,500 rsETH, worth approximately $292 million.
Continuing to trace the on-chain records, the attacker's address received an initial fund of 1 ETH from the mixing protocol Tornado Cash approximately 10 hours before the incident. Subsequently, the address called the lzReceive function on the LayerZero EndpointV2 contract. This call triggered the Kelp bridging contract, transferring 116,500 rsETH to another attacker's address.
Approximately two and a half hours after the incident, Kelp DAO officially confirmed the attack on X: "Earlier today, we discovered suspicious cross-chain activity involving rsETH. During the investigation, we have suspended rsETH contracts on the mainnet and multiple Layer 2 platforms. Our auditors are working closely with security experts from LayerZero and Unichain to monitor the situation. We will keep you updated on the latest developments; please follow our official channels."
Following the incident, various DeFi projects and security organizations analyzed the cause. D2 Finance's analysis, which has been cited multiple times within the community, revealed that LayerZero Scan identified the source peer as Kelp DAO, meaning the message originated from a legitimate peer contract deployed by Kelp itself, and this path already had 308 message nonce records. Therefore, the root cause of this attack was that the "source chain private key was compromised."
Steven Enamakel, a developer at TinyHumans AI, added that the contract is only guaranteed by a 1/1 validator set (DVN), which means that a single erroneous transaction by a validator could trigger a problem.
Hackers used Aave as a transit point to escape, potentially causing bad debts.
Because rsETH itself has limited trading liquidity, the hacker's escape strategy was to use lending protocols such as Aave to collateralize rsETH and borrow wETH, which has better trading liquidity.
PeckShield Alert monitoring shows that as of 4:30 this morning, the hacker's address has deposited the stolen rsETH into lending protocols such as Aave V3, Compound V3, and Euler, and has lent out a large amount of WETH, with a total debt exceeding $236 million—of which $196 million is owed on Aave alone, $39.4 million on Compound, and only $840,000 on Euler.
Following the incident, Aave immediately froze the rsETH market on Aave V3 and V4. The team later released a statement on X, stating: "Aave's contracts were not attacked; the attack was related to rsETH. The rsETH freeze was to prevent new rsETH deposits and collateralized loans while assessing the situation. We are reviewing rsETH lending information that occurred on Aave after the attack and will share more details as soon as possible."
Shortly after the initial statement was released, Aave updated the update, adding at the end: " If the agreement accumulates bad debts as a result of this event, we will explore ways to cover the deficit. "
As of the time of writing, the exact amount of bad debts caused by this incident is still unclear .
According to monetsupply.eth, the strategy director of Spark, a direct competitor of Aave, if rsETH were to trade at a 19% discount (representing 19% of the total rsETH supply stolen), Aave could incur more than $100 million in bad debt due to the existence of highly leveraged revolving lending.
However, Marc Zeller, founder of the Aave Chan Initiative (ACI), the representative governance team of the Aave ecosystem (who has announced his departure from Aave in July due to governance disagreements), offered a different perspective. At the outset of the incident, Zeller advised users to withdraw their WETH from Aave V3 as soon as possible to avoid losses and confirmed that the USDC and USDT markets on Aave were unaffected . In response to another user's speculation that "bad debt could reach hundreds of millions," he stated, "It's far less than that number."
However, Marc Zeller also mentioned that it's time to test Umbrella in a real production environment. Umbrella, or Aave's automated security module, is essentially a pool of funds to handle bad debts. Users can deposit assets into it to earn higher incentives, but the pool also bears the potential losses when bad debts occur in the protocol.
According to Aave protocol data, Umbrella currently holds approximately $50 million worth of WETH that could be used to address potential bad debts from this incident, but it is not yet certain whether this will be sufficient to fill the gap.
Affected by this event, AAVE fell by nearly 10% in the short term, and is currently trading at 104.6 USDT as of the time of writing.
Another security incident involving hundreds of millions of yuan in April
This is not the first major security incident this month.
Back on April 1, the Solana ecosystem's derivatives trading protocol, Drift Protocol, was attacked, resulting in a loss of up to $280 million (see "April Fool's Joke? Drift Protocol Suffers Over $280 Million Theft, Potentially the Second Largest DeFi Heist in the Solana Ecosystem").
Afterwards, Drift Protocol directly blamed the theft on "North Korean hackers," but fortunately, institutions such as Tether have pledged $147.5 million for user compensation, giving users at least some hope of claiming compensation.
Just over ten days later, another, even larger hacking incident broke out. How will this end this time?
Is there still a safe place for DeFi?
The security issues surrounding DeFi are escalating.
On one hand, there are continuous hacking incidents; on the other hand, there are persistent security threats posed by AIs like Mythos (see "Odaily Interview with Yu Xian: How Will the Leak of Anthropic's Nuclear-Level New Model Affect Cryptographic Security Attack and Defense?"). For DeFi users, the previous strategy was to concentrate funds in well-audited, reputable leading protocols. However, now even top-tier protocols like Aave, which retail investors subconsciously consider extremely reliable, have been indirectly affected. Where can users move their funds now?
Personally speaking, it is not advisable for users to keep large amounts of funds on the blockchain at present. If there is a genuine need, please be sure to diversify and isolate your positions.
As of this writing, many details about this incident remain unclear. Odaily will continue to follow up on the developments, so please stay tuned.
