DeFi is hacked again for $292 million, is Aave no longer safe now?

Original | Odaily Planet Daily (@OdailyChina)

Author | Azuma (@azuma_eth)

Beijing Time April 19, DeFi security suffers another heavy blow.

On-chain data shows that around 1:35 this morning, the second-largest liquidity staking protocol Kelp DAO’s rsETH bridge contract based on LayerZero was suspected to be exploited by hackers, resulting in a loss of 116,500 rsETH, worth approximately $292 million.

Continuing to trace on-chain records, the attacker’s address received an initial 1 ETH from the mixer protocol Tornado Cash about 10 hours before the incident. Afterwards, this address called the lzReceive function on the LayerZero EndpointV2 contract, which triggered Kelp’s bridging contract to transfer 116,500 rsETH to another attacker address.

About two and a half hours after the incident, Kelp DAO’s official account confirmed the attack on X: “Earlier today, we detected suspicious cross-chain activity involving rsETH. During the investigation, we have paused rsETH contracts on the mainnet and multiple Layer2s. Our auditors are working closely with LayerZero and Unichain security experts to monitor the situation. We will keep you updated through official channels.”

Following the incident, various DeFi projects and security agencies analyzed the cause. D2 Finance’s analysis, which has been cited multiple times within the community — LayerZero Scan marked the counterparty source as Kelp DAO, indicating that the message originated from Kelp’s own legitimate deployed contract, and this path had previously recorded 308 message nonces. Therefore, the root cause of this attack was “the private key on the source chain was compromised.”

TinyHumans AI developer Steven Enamakel added that the contract is protected by only a 1/1 validator set (DVN), meaning that just one erroneous transaction from a validator could trigger issues.

Hackers exploit Aave to escape, suspected to cause bad debts

Due to rsETH’s limited trading liquidity, the hacker’s exit strategy was to borrow through protocols like Aave, collateralizing rsETH and borrowing more liquid assets like WETH.

PeckShield Alert monitoring showed that by 4:30 this morning, the hacker’s address had deposited the stolen rsETH into lending protocols such as Aave V3, Compound V3, Euler, and borrowed a large amount of WETH, with total debts exceeding $236 million — including $196 million on Aave alone, $39.4 million on Compound, and only $840k on Euler.

After the incident, Aave immediately froze the rsETH markets on Aave V3 and V4. The team later issued a statement on X: “Aave’s contracts were not attacked; this incident is related to rsETH. Freezing rsETH was to prevent new deposits and collateralized loans during the assessment. We are reviewing the rsETH borrowing activity on Aave following the attack and will share more details as soon as possible.”

Shortly after the initial statement, Aave updated the situation, adding: “If this protocol incurs bad debt due to this incident, we will explore ways to cover the deficit.”

As of this writing, the exact amount of bad debt caused by this event remains unclear.

Aave’s direct competitor Spark’s strategic director monetsupply.eth said that if rsETH trades at a 19% discount (the stolen amount accounts for 19% of total rsETH supply), Aave could face over $100 million in bad debt due to high-leverage cycle borrowing.

However, Marc Zeller, founder of the representative governance team Aave Chan Initiative (who announced he will leave Aave in July due to governance disagreements), offered a different view. Zeller initially advised users to withdraw WETH from Aave V3 to avoid losses and confirmed that USDC and USDT markets on Aave were unaffected. When asked about the possibility of bad debt reaching billions, he responded: “Much less than that.”

Zeller also mentioned that it’s time to test Umbrella in a real production environment. Umbrella is Aave’s automated safety module — essentially a fund pool to handle bad debts, where users can deposit assets for higher incentives, but when the protocol incurs losses, this pool also bears potential losses.

Aave protocol data shows that Umbrella currently holds about $50 million worth of WETH to cover potential bad debts from this incident, but it’s uncertain whether that’s enough to fill the gap.

Following this event, AAVE’s price plummeted nearly 10%, currently trading at about $104.6 USDT.

Another billion-dollar security incident in April

This is not the first major security event this month.

On April 1, Solana ecosystem derivative trading protocol Drift Protocol was attacked, losing up to $280 million (see “April Fools? Drift Protocol stolen over $280 million, possibly the second-largest DeFi hack on Solana ecosystem”).

Later, Drift Protocol blamed “North Korean hackers” for the theft. Fortunately, institutions like Tether promised to inject $147.5 million to compensate users, giving some hope for claims.

Just over ten days later, a larger-scale hacking incident occurred. How will this end?

Is there still a safe place in DeFi?

DeFi security issues are worsening.

On one side, ongoing hacker attacks; on the other, persistent security threats from AI tools like Mythos (see “Odaily Exclusive: Cosine on the Leak of Anthropic’s Nuclear-Level New Model, How Does It Affect Crypto Security Defense?”). For DeFi users, previous measures included consolidating funds into well-audited, reputable top protocols. But now, even top-tier protocols like Aave, which are perceived as less prone to issues, are indirectly affected. Where else can users move their funds?

Personally, I currently advise against leaving large amounts of funds on-chain. If necessary, ensure proper diversification and isolation of positions.

As of this writing, many details of this incident remain unclear. Odaily will continue to follow the developments, please stay tuned.