coin-img-ETHETH-3.58%coin-img-BTCBTC-2.39%coin-img-SOLSOL-3.69%coin-img-XRPXRP-2.78%coin-img-TOMTOM+73.47%coin-img-BENZBENZ+591.81%coin-img-USDCUSDC+0.00%coin-img-RAVERAVE-90.45%coin-img-ETHETH-3.58%coin-img-BTCBTC-2.39%coin-img-SOLSOL-3.69%coin-img-XRPXRP-2.78%coin-img-TOMTOM+73.47%coin-img-BENZBENZ+591.81%coin-img-USDCUSDC+0.00%coin-img-RAVERAVE-90.45%coin-img-ETHETH-3.58%coin-img-BTCBTC-2.39%coin-img-SOLSOL-3.69%coin-img-XRPXRP-2.78%coin-img-TOMTOM+73.47%coin-img-BENZBENZ+591.81%coin-img-USDCUSDC+0.00%coin-img-RAVERAVE-90.45%coin-img-ETHETH-3.58%coin-img-BTCBTC-2.39%coin-img-SOLSOL-3.69%coin-img-XRPXRP-2.78%coin-img-TOMTOM+73.47%coin-img-BENZBENZ+591.81%coin-img-USDCUSDC+0.00%coin-img-RAVERAVE-90.45%

KelpDAO Suffers $292M Exploit; Aave Sees $5.4B+ Rush for the Exits as DeFi Security Fears Spread

BlockBeats reports that in the early hours of April 19, multichain liquid staking platform KelpDAO was exploited, with the attacker draining 116,500 rsETH from KelpDAO's LayerZero-based cross-chain bridge—about $292 million—marking the largest DeFi security incident so far in 2026. Roughly 46 minutes later, KelpDAO moved to contain the breach, urgently pausing its multisig and freezing key system components, including LRT deposit pools, withdrawal contracts, oracles, and the rsETH token. The team said it detected abnormal cross-chain activity involving rsETH, suspended related contracts across mainnet and multiple L2s, and is working with LayerZero and other parties on a root-cause analysis. Two follow-up withdrawal attempts by the attacker failed after the shutdown measures took effect. KelpDAO said the attacker also tried to move another 40,000 rsETH (about $100 million). Had that succeeded, total losses could have climbed to around $391 million. After the initial drain, the attacker rapidly borrowed across multiple lending venues—including Aave, Compound, Euler, and Fluid—creating bad debt across several protocols. Aave has taken the largest hit, with about $177 million in bad debt. Compound is facing roughly $39.4 million, while Euler is down about $840,000. Aave said it has frozen rsETH markets on both V3 and V4, stressing the incident centers on the rsETH asset rather than any vulnerability in Aave's smart contracts. The protocol is reviewing post-incident lending positions and said that if bad debt remains, it will "explore pathways to cover the shortfall." On-chain activity indicates the attacker deposited most of the stolen rsETH into Aave as collateral to borrow ETH, while selling a smaller portion directly for ETH. Combined, the hacker accumulated 106,466 ETH, worth about $250 million. Risk aversion spread quickly. More than $5.4 billion was withdrawn from Aave after the attacker borrowed large amounts of ETH using illegally minted rsETH as collateral. The outflows included Justin Sun pulling 65,584 ETH (about $154 million). During the panic, Aave's ETH utilization rate briefly hit 100%. Curve founder Michael Egorov commented that the episode underscores the risks of the widely used "non-isolated lending" model: it scales well but carries higher systemic risk, making risk management critical. He added that Aave v4's hub-and-spoke design could move the market toward a semi-isolated, safer framework. Crypto KOL benmo.eth wrote that the rsETH theft has broad implications, puncturing the perception of Aave as untouchable and forcing large holders to reassess unified-market lending risk. He said Aave V4 and modular lending could become the next direction, potentially accelerating the shift. Bankless co-founder Ryan Sean Adams warned that crypto hack frequency is at an all-time high and argued AI is a key driver, saying AI is giving hackers "dark superpowers" and that defenses must catch up quickly.
Dipilih
AAVE
AAVE-20.39%
COMP
COMP-5.43%
Penafian: Konten di atas hanyalah pendapat penulis dan tidak mewakili sikap BingX. Konten tersebut tidak boleh ditafsirkan sebagai nasihat investasi dari BingX. Untuk keterangan lebih lanjut, lihat Syarat dan Ketentuan.