Original | Odaily Planet Daily (@OdailyChina)

Author | Azuma (@azuma_eth)

On April 19, Beijing time, DeFi security suffered another heavy blow.

On-chain data shows that, around 1:35 AM this morning, the second-largest liquid staking protocol Kelp DAO's rsETH bridging contract based on LayerZero was suspected to have been exploited by hackers, resulting in a loss of 116,500 rsETH, valued at approximately 292 million US dollars.

Continuing to trace the on-chain records, the attacker's address received an initial funding of 1 ETH from the mixing protocol Tornado Cash about 10 hours before the incident. The address then called the lzReceive function on the LayerZero EndpointV2 contract, which triggered Kelp's bridging contract and transferred 116,500 rsETH to another attacker address.

About 2.5 hours after the incident, Kelp DAO officials confirmed the attack on X: "Earlier today, we detected suspicious cross-chain activity involving rsETH. During the investigation, we have suspended the rsETH contracts on the mainnet and multiple Layer2s. Our auditors are working with security experts from LayerZero and Unichain to closely monitor the situation. We will keep you updated through official channels."

After the incident, various DeFi projects and security agencies analyzed the cause of the event. D2 Finance was quoted multiple times in the community — LayerZero Scan marked the counterparty source as Kelp DAO, indicating that the message originated from a legally deployed counterpart contract by Kelp itself, and this path already had 308 message nonce records. Therefore, the root cause of this attack was that "the private key of the source chain was compromised."

TinyHumans AI developer Steven Enamakel added that this contract was secured by only one 1/1 validator set (DVN), meaning that as long as the validator made a single erroneous transaction, it would be enough to trigger issues.

The hacker escaped via Aave, suspected to have caused bad debt

Due to limited trading liquidity of rsETH itself, the escape strategy chosen by the hacker was to use lending protocols like Aave, collateralizing rsETH to borrow wETH with better trading liquidity.

PeckShield Alert monitoring showed that, as of 4:30 AM today, the hacker's address had deposited the stolen rsETH into lending protocols like Aave V3, Compound V3, and Euler, borrowing a large amount of WETH, with total debts exceeding 236 million US dollars — among which Aave alone accounted for 196 million US dollars in debt, Compound had 39.4 million US dollars, and Euler had only 840,000 US dollars.

After the incident, Aave immediately froze the rsETH market on Aave V3 and V4, and the team subsequently published a statement on X stating: "Aave's contracts were not attacked, this incident is related to rsETH. Freezing rsETH is to prevent new rsETH deposits and collateralized loans during the assessment period. We are reviewing the rsETH borrowing information that occurred on Aave after the attack and will share more details as soon as possible."

Shortly after the initial statement was released, Aave updated that dynamic by adding: "If the protocol accumulates bad debts due to this incident, we will explore ways to make up for the deficit."

As of the publication of this article, the specific amount of bad debt caused by this incident remains unclear.

Aave's direct competitor Spark's strategic director monetsupply.eth indicated that if rsETH experienced a 19% discount (the stolen amount accounts for 19% of the total supply of rsETH), Aave could incur bad debts exceeding 100 million US dollars due to high leveraged circular borrowing.

However, Marc Zeller, founder of the representative governance team of the Aave ecosystem, Aave Chan Initiative (ACI), who has announced his intention to exit Aave in July due to governance differences, provided a different view. Zeller suggested to users at the onset of the incident to quickly withdraw WETH from Aave V3 to avoid losses, and confirmed that the USDC and USDT markets on Aave were unaffected , when replying to another user's speculation about "bad debt potentially reaching hundreds of millions," he stated: "Far less than that number."

But Marc Zeller also mentioned that it is time to test Umbrella in a real production environment. Umbrella, known as Aave's automatic safety module, is essentially a fund pool to address bad debts, where users can deposit assets to receive higher incentives, but when the protocol incurs bad debts, the fund pool also has to bear potential losses.

Aave protocol data shows that there is currently approximately 50 million US dollars worth of WETH in Umbrella available to address the potential bad debts of this incident, but it is still uncertain whether it is enough to fill the gap.

As a result of this incident, AAVE briefly dropped nearly 10%, currently reported at 104.6 USDT.

Another billion-level security incident in April

This is not the first major security incident to occur this month.

As early as April 1, the Solana ecosystem derivative trading protocol Drift Protocol was attacked, with losses as high as 280 million US dollars (see "April Fool's joke? Drift Protocol stolen over 280 million US dollars, possibly becoming the second largest DeFi robbery in Solana's ecosystem").

Afterwards, Drift Protocol directly blamed the stolen assets on "North Korean hackers," but fortunately, institutions like Tether have pledged to inject 147.5 million US dollars for user compensation, giving users at least some hope for claims.

Just over a dozen days later, another larger-scale hacking incident broke out, how will this one conclude?

Is there a safe place in DeFi?

The security issues in DeFi are escalating.

On one side there are continuous hacker incidents, and on the other side the persistent security threats brought by AI like Mythos (see "Odaily exclusive interview with Yu Xuan: Anthropic's nuclear-level new model leak, how does it affect crypto security offense and defense?"). For DeFi users, the previous response was to consolidate funds toward well-audited, reputable top protocols, but now, even top protocols like Aave, which subconsciously seem unlikely to encounter issues for retail investors, are also indirectly affected, where else can users move their funds?

Personally, I do not currently recommend that users keep a large amount of funds on-chain; if there is indeed a necessity, please ensure proper position diversification and isolation.

As of the publication of this article, many details regarding this incident remain unclear. Odaily will continue to follow the progress of this event, please stay tuned.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。