KelpDAO Cross-Chain Vulnerability Leads to $290 Million Loss, Aave Under Pressure Sparks DeFi Risk Control Reflection

BroadChain learned that at 22:00 on April 20, according to PANews, on April 18, the leading Ethereum liquidity restaking protocol KelpDAO was hacked, with approximately 116,500 rsETH illegally extracted, resulting in a loss of up to $292 million, making it the largest on-chain security incident so far in 2024. The attacker exploited a single-point verification vulnerability in the LayerZero-based cross-chain bridge, infiltrated nodes, and forged transaction confirmations. If not for the emergency blacklist mechanism being triggered, the loss could have exceeded $400 million. The hacker subsequently deposited the stolen rsETH as collateral into the Aave lending protocol, borrowing a large amount of assets such as WETH and USDC, causing nearly $200 million in bad debt for Aave. The news led to an intraday drop of approximately 18% in the AAVE token and triggered a net outflow of over $6.6 billion from Aave in a single day. This incident exposed the neglect of security mechanisms by DeFi protocols in the pursuit of cross-chain efficiency and high yields. Industry analysis suggests that the DeFi market may accelerate its shift toward isolated lending pools, mandatory insurance modules, and asset risk repricing based on underlying security to enhance system resilience.