Author: Jae, PANews

The cryptocurrency industry in April has been turbulent. Shortly after the leading Perp DEX in the Solana ecosystem, Drift, was hit by the "April Fools' Heist" and lost $285 million, the market became engulfed in the bungee-style boom of the "Disco Coin" RAVE.

Just as RAVE began to cool down, the DeFi market faced a jolt when the leading Ethereum LRT (Liquid Staking Refinance) protocol KelpDAO was attacked by hackers.

On April 18, KelpDAO was severely hacked through a vulnerability in the LayerZero-based cross-chain bridge, resulting in the illegal extraction of about 116,500 rsETH, with losses reaching up to $292 million, surpassing the theft at Drift and becoming the largest on-chain security incident of 2026 so far.

The hackers did not breach the mainnet staking contract and no private keys were leaked; it was merely a small crack in the cross-chain verification that triggered the combinatorial risks in DeFi.

As the leverage of restaking coincided with ambitions for multi-chain expansion, DeFi, after three years of rushing down the "yield-first" path, once again faced the soul-searching question of whether to prioritize "yield supremacy" or "security supremacy".

Single Point Verification Vulnerability Triggers LRT Crisis, KelpDAO Loses Nearly $300 Million

The central figure of the theft, KelpDAO, was once a star player in the LRT track.

Its business logic accurately pinpointed market pain points, creating a model of "one fish, three eats". Users wrapped LST (liquid-staked) assets like stETH and rETH into rsETH, retaining the basic yield of ETH staking, while adding restaking rewards from EigenLayer, and able to traverse various DeFi lending and mining scenarios with rsETH.

In order to capture market share, KelpDAO aggressively expanded to 16 public chains, and rsETH, with its high yield and high liquidity, became a mainstream collateral asset on various Layer 2s and Aave, deeply embedded in the Ethereum DeFi ecosystem.

This multi-chain architecture heavily relied on the underlying cross-chain communication protocol provided by LayerZero, which became the epicenter of the disaster.

On April 20, LayerZero published a retrospective article stating that KelpDAO was attacked and suffered losses of around $290 million. Preliminary indications suggested that this attack may have been carried out by a highly sophisticated state actor, likely North Korea's Lazarus Group, specifically TraderTraitor. Due to KelpDAO's use of a single-signature setup, this incident was limited to its rsETH configuration and did not affect any other cross-chain assets or applications.

At the same time, LayerZero admitted that KelpDAO only used a 1/1 DVN configuration, which presented a "single point risk", and they are contacting all applications using 1/1 DVN configuration to migrate to a redundant multi-signature setup. However, they had not prompted KelpDAO to make any changes before this incident or enforced multi-signature configurations, which makes it hard for LayerZero to escape blame.

The hackers specifically poisoned LayerZero's downstream infrastructure, infiltrating two of its independent nodes, causing the DVN to confirm transactions that had never occurred.

According to LayerZero's disclosure, the hackers gained access to the RPC list used by LayerZero Labs' DVN, compromised two independent nodes, and replaced the op-geth binary while launching DDoS attacks on the uninfected RPCs to trigger failover, causing the DVN to confirm transactions that had never happened.

In short, the hackers "activated" the extraction rights of rsETH "out of thin air".

Even more chilling is that had the emergency blacklist mechanism not been triggered in the last 3 minutes, the hackers would have taken away an additional $100 million, pushing total losses directly above $400 million.

This blow-up had long been foreshadowed.

The hackers' attack path pointed directly to an industry-wide issue: the vulnerability of protocol verification mechanisms.

In the fervor to pursue cross-chain efficiency, KelpDAO turned a blind eye to its long-standing single-point verification problem, ultimately becoming the hackers' breakthrough point.

This was not the first time KelpDAO exposed security issues. In May last year, due to a scaling error during a contract upgrade, the protocol minted 31.2 quintillion (51 trillion) rsETH; although it was destroyed in time and caused no loss, it had already revealed its hidden security risks.

The brutal competition in the restaking track made security a casualty. To continuously expand its scale, KelpDAO kept integrating new LST assets and expanding to new L2 networks. However, with each additional chain and asset, the attack surface expanded exponentially.

Veteran DeFi players pointed out that the customer acquisition costs for L2's TVL are expected to rise further, causing a large amount of TVL to flow back to L1.

The "double-edged sword" of multi-chain expansion has ultimately turned into a blade piercing the protocol itself and the entire DeFi ecosystem.

Aave Faces rsETH Poisoning; $200 Million Bad Debt Triggers $6.6 Billion Capital Flight

DeFi is like Lego blocks; one break leads to a collapse of the whole.

After obtaining the illegitimate rsETH, the hackers did not dump it directly on DEXs but instead implemented an "asset poisoning" strategy: depositing rsETH as "high-quality collateral" in Aave to extract real high liquidity assets.

Aave V3/V4 accepts rsETH as qualified collateral on Ethereum and Arbitrum, allowing the hackers to deposit rsETH and borrow large amounts of WETH, USDC, and USDT, converting illegal assets into protocol bad debt.

According to estimates by Chaos Labs, the scale of bad debt faced by Aave far exceeds market expectations, approaching $200 million.

After the news of bad debt broke, the AAVE token quickly dropped by about 18%.

Since the end of last year, Aave seems to have fallen into a "severe water reversal." After experiencing governance turmoil and an exodus of service providers, it now became the best liquidity outlet for hackers due to its integration of markets related to rsETH.

A scene revealed by on-chain data further poured fuel on the fire for Aave.

Sun Yuchen was detected redeeming 53,665 ETH from Aave urgently, worth $126 million. His withdrawal is seen as a barometer of large whales losing confidence in the security of the protocol.

The result was a capital flight across the entire market. According to DeFiLlama data, Aave recorded net outflows of up to $6.6 billion in a single day, with funds decreasing by 23%.

Although the fundamental issue was not caused by Aave, this incident profoundly questioned its risk management mechanism.

Some users pointed out that community members had publicly warned about KelpDAO's single-point verification risk on Aave's governance forum more than 15 months ago. However, the Aave team did not propose any solutions.

In contrast, Spark removed rsETH back in January this year. DeFi researcher CM bluntly stated: the entire Sky system represents a proactive tightening of risk control philosophy, which may slow down protocol development but demonstrates value in critical moments.

The 53,600 ETH that Sun Yuchen withdrew were also stored in Spark. Within two days, the SPARK token surged over 50%, standing in stark contrast to AAVE.

Todd, co-founder of Nothing Research, believes that in the face of nearly $200 million in bad debt, Aave may activate its "Umbrella" insurance module.

Although the Umbrella module offers the first line of defense, its capital pool is obviously insufficient to completely cover the bleeding of about $200 million in assets.

In the short term, Aave's self-rescue is merely a delay of the crisis, rather than a proper resolution; the main gap still needs to be filled through Aave's protocol profits or token issuance, with specific plans left for further community discussion.

Isolation Pools + Mandatory Insurance + Risk Repricing, Security No Longer Has a "Free Lunch"

The KelpDAO incident marks the official end of the LRT craze, and the DeFi market will usher in three irreversible risk control transformations.

Isolation of the lending market: Aave's non-isolated lending model has become history, with assets restricted to completely independent "Siloed Pools". Even if a single asset encounters problems, it will not affect assets present in other liquidity pools.

Michael Egorov, founder of Curve, pointed out in a post that the non-isolated lending model boasts good scalability but carries higher risks, recommending the market adopt completely isolated or hybrid models.

Although fully isolated architectures may reduce capital efficiency, they will significantly enhance the system's resilience to risk.

Mandatory insurance modules: The Umbrella module will promote protocol insurance from "optional configuration" to "essential component".

In the future, any new asset wanting to launch on mainstream lending platforms like Aave might be required to inject a certain proportion of collateral into corresponding insurance pools, serving as the primary source for compensation in case of related market defaults or thefts.

Risk repricing of DeFi assets: Yishi, founder of OneKey, bluntly stated that DeFi's yields and risks are now completely disproportionate, and security carries hard costs.

The market will reprice risk. Protocol fees and infrastructure costs will face upward pressure; otherwise, they will not be able to support security investments.

Thus, DeFi assets need to be repriced based on their underlying security. The risks of wrapped assets like LRT are evidently higher than that of native assets, and lending platforms should account for the risk of wrapped assets in their risk control models.

The theft of KelpDAO serves as a brutal mirror, reflecting the collective indifference of DeFi toward security bottom lines in their pursuit of extreme yields and multi-chain expansion.

A loss of nearly $300 million is expensive, but if it prompts DeFi to shift from blindly pursuing composability to pursuing robustness, then this may well be the tuition required for the industry to mature.

In the aftermath of the KelpDAO incident, the market is gradually realizing that the true value of DeFi lies in providing a more transparent, safer, and more risk-resistant financial infrastructure.

And when the tsunami recedes, what remains will be a stronger foundation.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。