Written by: Wu Says Blockchain

On April 18, the rsETH cross-chain assets of KelpDAO suffered a massive attack, resulting in losses of approximately $290 million (about 116,500 rsETH, accounting for 18% of the circulating supply). LayerZero Labs, in its latest statement, tentatively attributed the attack to the North Korean Lazarus Group (also known as TraderTraitor). The attackers polluted the LayerZero DVN downstream RPC nodes and induced failover through DDoS attacks, causing the DVN to confirm that "the transaction did not occur," thereby forging cross-chain messages.

Although this incident did not directly target the Aave protocol itself, it triggered a rare systemic liquidity shock in DeFi history. Aave's TVL plummeted by about $8.45 billion within 48 hours (the latest assessment shows a decline of about $8 billion to $9.5 billion), while the total TVL across all chains in DeFi shrank from $99.497 billion to $86.286 billion, evaporating $13.21 billion. The event quickly spread from EVM chains to Solana, with the USDC utilization rate of lending protocols like Kamino suddenly soaring to 100%, forcing the DeFi industry into a "stress test" mode.

LayerZero Official Disclosure: Single Point of Failure, Not Protocol Vulnerability

On April 20, LayerZero Labs released a detailed explanation confirming that the attack specifically targeted the 1/1 single DVN configuration used by KelpDAO (which relied solely on one validator from LayerZero Labs), deviating from their consistently recommended multi-DVN redundancy best practices. The attackers, through poisoning, binary replacement, and DDoS-induced failover, caused the DVN to confirm that "the transaction did not occur," but did not exploit any protocol or key vulnerabilities. The impact was limited to rsETH and did not spread to other OApp/OFT assets. LayerZero has fully discarded and replaced the affected RPC, and the DVN has resumed operation, requiring all 1/1 configuration projects to migrate to multi-DVN as soon as possible. They are also cooperating with global law enforcement agencies to trace the funds.

However, Yearn Finance core developer banteg explicitly questioned this description. He stated that characterizing the event as "RPC poisoning" is inaccurate and muddles the concepts. In traditional network attacks, RPC poisoning involves the attacker altering shared lookups (DNS, ARP, cache, etc.) outside the trust boundary, with no reason for the receiver to doubt the source. However, in this attack, the attacker had entered LayerZero's trust boundary, accessed the RPC list, compromised the two nodes relied upon by the DVN, and replaced the op-geth binary file, which is more akin to an infrastructure internal breach or a supply chain form of attack, rather than typical external network poisoning. Banteg believes this description underestimates the severity of the attack and suggests that cross-chain bridges should not be hastily restored until the specific source of the vulnerability is clearly identified.

Aave First to Bear the Brunt: Approximately $200 Million Bad Debt + Liquidity Run

After the attack, hackers borrowed ETH on Aave using the stolen rsETH as collateral, leading to approximately $195 million to $216 million in bad debt unable to be recovered through regular liquidation. The ETH utilization rate across multiple markets of Aave V3 once reached 100%, triggering a massive withdrawal wave—Justin Sun alone withdrew about 65,500 ETH. Data from DeFiLlama shows that Aave's TVL shrank by over $8 billion in the past two days, and market panic spread.

Spark's strategic director monetsupply.eth pointed out that Spark removed low-utilization assets like rsETH as early as January and tightened the range of collateral. Although it short-term lost some business, the current results prove this cautious strategy was effective: SparkLend's ETH market still maintains sufficient withdrawal liquidity, while Aave's multi-chain market has experienced a liquidity shortage.

How to Resolve Huge Bad Debt? Three Paths Ahead

0xngmi, co-founder of DeFiLlama, analyzed that KelpDAO faces three main handling paths:

1. Distributing losses among all users: This corresponds to an approximate 18.5% write-down, resulting in about $216 million in bad debt. Of this, Umbrella ETH can cover about $55 million, the Aave treasury can additionally cover about $85 million, leaving a remaining gap of about $76 million that could be filled by borrowing or selling approximately $51 million worth of AAVE tokens from the treasury.

2. Concentrating losses on L2 rsETH holders: This could lead to approximately $341 million in bad debt, and would not be covered by Umbrella.

3. Compensation based on the pre-attack snapshot: Due to significant fund movement and the protocol using a pooled structure, execution difficulty is high; even so, after Umbrella coverage, there may still be about $91 million in losses remaining.

OneKey founder Yishi stated that the optimal solution is to "negotiate with the hackers, offering a 10-15% bounty"; if negotiations fail, the LayerZero ecological fund could bear the main losses. As the "weakest party," KelpDAO can make up the difference through tokens or future income or consider an overall sale to LayerZero (L0) or BMNR. Aave's Umbrella and stkAAVE form the last line of defense, but he also warns that WETH holders should not bear the write-down, otherwise protocols like Morpho, Spark, Fluid, and Euler may repricing risk, and the overall trust in the LRT track could be damaged.

Currently, Aave's Umbrella security module is facing its first real stress test, and whether it can fully cover the gap still remains uncertain.

Ethereum Foundation's Position Becomes the Focus, Industry Confidence Dented

DeFi analyst Ignas pointed out that the Ethereum Foundation (EF) holds about $48 million in assets on Aave's Ethereum mainnet. If there is no write-down in the mainnet market, it would be more favorable for the security of EF's position. EF had previously long avoided DeFi, only recently starting to allocate to "low-risk DeFi"; this incident may impact its subsequent decisions.

On a broader level, the incident has triggered industry reflection: the trust risk of external LST/LRT collateral, the single point of failure hazards of cross-chain bridges, and the liquidity mechanisms of DeFi under extreme pressure. The USDC Reserve utilization rate of Kamino Prime Market on Solana reached 100%, with several Vaults over 95%, indicating that fund exodus has already spread cross-chain.

DeFi's "Coming of Age" or a Turning Point?

This is not a code vulnerability of Aave, but a systemic chain reaction triggered by "misplaced trust in collateral assets." As several analysts have pointed out, KelpDAO's 1/1 DVN configuration, as well as the protocol's excessive reliance on external collateral, is a microcosm of collective risk.

LayerZero emphasizes that "the modular security architecture has isolated the impact," but the industry still needs stricter collateral admission mechanisms, mandatory standards for multi-DVN, and more comprehensive bad debt-sharing mechanisms.

Whether Aave can survive this challenge with the Umbrella will become an important barometer of resilience in DeFi. In the short term, TVL outflows and panic may continue; in the medium to long term, if the bad debts can be orderly digested and drive protocol upgrades, this incident may become an important milestone in risk management. Otherwise, as Yishi is concerned, the rebuilding of trust in the LRT track and even the entire DeFi may take much longer.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。