hack

Yesterday, someone stole $293 million with $250 in gas fees. No zero-day vulnerability. No broken code. Just a mischecked box in a configuration file.

Let me explain.

THE TIMELINE
- April 18, 2026, 11:05 AM UTC.
An anonymous wallet receives 0.1 ETH from Tornado Cash. Cost: ~$250.
For 6 hours, nothing happens.
Then at 5:35 PM, this wallet executes ONE SINGLE function call on the Kelp DAO contract.
And 116,500 rsETH appear out of thin air.
Value: $293 million.

🔓 THE VULNERABILITY (explained simply)
Imagine a vault with 3 locks. Standard security practice says: "you need 2 out of 3 keys to open it." But Kelp DAO configured their LayerZero bridge differently: "1 key is enough."

That "key" was a DVN (Decentraized Verifier Network). ONE SINGLE validator.

Exact configuration:
→ requiredDVNCount: 1
→ optionalDVNCount: 0
The attacker compromised this single node, forged a fake cross-chain message saying "send 116k rsETH to this address," and the contract obeyed. This wasn't a code bug, it was a deployment misconfiguration.
Audits check code. Not always the config.

THE HEIST (in 46 minutes)

5:35 PM → Exploit: mint of 116,500 unbacked rsETH

5:36-5:42 PM → Distribution to 7 intermediate wallets:
- 53,000 rsETH → 0x1f4c1c
- 30,000 rsETH → 0xeba786
- 10,000 rsETH → 0xcbb24a
- 8,000 rsETH → 0x1b748b
- 6,000 rsETH → 0xbb6a60
- 5,000 rsETH → 0x8d11ae
- 4,500 rsETH → 0xe9e2f4

5:45-6:00 PM → Deposited as collateral on AAVE V3, Compound V3, AAVE Arbitrum

6:00 PM+ → Borrowed $236M in WETH against this "collateral"

6:15 PM → Consolidated to a single wallet

The problem?
These rsETH have ZERO real value. They're worthless. But the lending protocol oracles couldn't know that.

THE ATTACKER'S ADDRESSES

I traced the entire flow on-chain:

Main wallet (exploiter): 0x8B1b6c
→ Funded via Tornado Cash 0.1 ETH Pool
→ Executed the fraudulent lzReceive() call

Profit consolidation wallet:
ETH Millionaire 0x5d391: app.nansen.ai/profiler?addre…
→ Labeled "ETH Millionaire" by #NansenAI
→ Received $163M+ in borrowed ETH
→ Likely being mixed through Tornado Cash as we speak

Exploit transaction:
0x1ae232da212c45f35c1525f851e4c41d529bf18af862d9ce9fd40bf709db4222

THE IMPACT ON AAVE

$AAVE was NOT directly hacked but the protocol is now sitting on a $236M bad debt hole.
The rsETH used as collateral is now worth zero.
The WETH loans will never be repaid.
The positions are unliquidatable.

The numbers in 24h:
- $AAVE price: -22% over 7 days ($115 → $90)
- TVL: -16.78% ($21.96B)
- Exchange inflows: +$22.6M (16x normal average)
- Smart Trader outflows: -$248k
- Top PnL wallets outflows: -$2.4M

Emergency measures:
🔒 rsETH/wrsETH markets frozen on all V3/V4 instances
🔒 WETH frozen on Core, Prime, Arbitrum, Base, Mantle, Linea

WHO'S GOING TO PAY?
You, if you staked $aETHWETH on AAVE.

The Umbrella module will automatically take a portion of your stake to cover the losses.

How it works:
1. UmbrellaCore monitors bad debt on-chain
2. When threshold is exceeded → slash() is called automatically
3. Pro-rata burn of vault shares
4. No governance vote required, it's automatic

Withdrawal cooldown: 20 days. This isn't a bug. It's by design. You signed up for this in the terms.

HISTORICAL COMPARISON

This hack joins the podium of biggest bridge exploits:

🥇 Ronin (2022): $625M - 5/9 validator compromise
🥈 Wormhole (2022): $326M - Signature verification bug
🥉 Kelp DAO (2026): $293M - 1-of-1 DVN compromise
4️⃣ Nomad (2022): $190M - Merkle root flaw

Common pattern: trust assumptions on cross-chain validators.

Total bridge hacks since 2022: >$2.8 billion (~40% of all Web3 hacks).

MY TAKEAWAYS

1. A code audit ≠ a config audit. Kelp's code was audited. The 1-of-1 DVN configuration apparently wasn't.

2. One validator = one point of failure. Industry standard: minimum 2-of-3. Kelp: 1-of-1. It was a ticking time bomb.

3. LRTs as collateral = systemic risk. Liquid Restaking Tokens add layers of complexity that current oracles can't evaluate in real-time.

4. DeFi remains the Wild West. $293M stolen with $250 in gas. Attacker's ROI: 586,000,000%.

🔍 TO FOLLOW THE CASE

Wallet to monitor (fund consolidation):
0x5d3919f12bcc35c26eee5f8226a9bee90c257ccc

The funds are likely being mixed through Tornado Cash as you read this post.

This wasn't an AAVE hack, it was a hack of trust.
One mischecked box. A "default" config. $293M gone.

Welcome to DeFi.

If this post was useful, share it. More people need to understand that DeFi security isn't just about code.

And if you have $aWETH staked on AAVE... you know what to do.

#Hack #CyberSecurity #OnChainAnalysis

$AAVE

On April 18, 2026, KelpDAO suffered what is now confirmed as the largest decentralized finance exploit of the year - a targeted attack on its LayerZero-powered cross-chain bridge that drained approximately 116,500 rsETH, valued at around $292 to $293 million at the time of the incident.

Key Takeaways
KelpDAO lost roughly $293 million in rsETH on April 18.The attacker minted unbacked tokens through a flaw in the cross-chain bridge and immediately used them as collateral on Aave.AAVE token dropped up to 14% within hours.By mid-April 2026, DeFi losses for the year have already crossed $450 million across roughly 45 protocols.
The attacker, whose initial funding was traced to Tornado Cash, identified and exploited a critical flaw in rsETH's minting logic. Rather than providing actual collateral, the wallet was able to mint rsETH tokens without backing - effectively printing value out of nothing. The stolen tokens were then deposited into Aave V3 and V4, where they were used as collateral to borrow a substantial volume of WETH. By the time Kelp's emergency "pauseAll" function was triggered - 46 minutes after the first successful drain - the protocol had already lost the bulk of its funds. Two subsequent attempts by the same attacker to drain an additional $100 million were blocked by that pause mechanism, but the damage from the initial transaction had already settled across the ecosystem.
The Fallout for Aave and the Broader Market
Aave's exposure to the unbacked collateral left the lending protocol carrying an estimated $177 to $196 million in bad debt - a figure significant enough to activate conversation around its Umbrella safety module, which holds approximately $50 million and is expected to be used to partially cover the deficit. WETH suppliers on Aave have been warned they may face a haircut on their deposits, meaning the losses will not be absorbed entirely by the protocol's treasury. The AAVE token itself dropped 14% in the hours following the news. rsETH saw trading volume spike by more than 100,000% as holders scrambled to exit positions before further price deterioration.
Other lending platforms reacted quickly. SparkLend, Fluid, and Upshift all froze rsETH markets within hours to prevent further bad debt accumulation, while on-chain investigator ZachXBT identified six wallet addresses linked to the theft that are being monitored for any movement of funds.
Why LRTs as Collateral Carry Serious Risk
The incident has reignited debate around the risk profile of Liquid Restaking Tokens when used as collateral in money markets. rsETH, like similar LRT assets, carries layered complexity - it represents a claim on restaked ETH across multiple validator sets and protocols, making its real-time valuation harder to verify under stress. When that complexity meets a minting flaw in a bridge contract, the result is precisely what happened on April 18: a cascade from a single exploit point into bad debt across multiple platforms.
A Brutal Year for DeFi Security
This attack did not happen in a vacuum. By mid-April 2026, cumulative losses across the DeFi sector have reached between $450 and $482 million, spread across approximately 44 to 45 protocols. The KelpDAO incident is the largest single event, but it follows a string of significant breaches that started almost immediately in January.
The Drift Protocol hack on April 1 cost the Solana-based perpetual futures exchange $285 million. In that case, attackers used social engineering to manipulate Security Council members into pre-signing transactions using Solana's durable nonces feature, gaining admin control and withdrawing real assets including USDC and SOL within 12 minutes. In March, Resolv Labs lost $80 million after an attacker deposited roughly $200,000 and exploited a flaw in the completeSwap() function to mint $80 million in unbacked USR stablecoins - a move that sent the token's peg down 74%. Step Finance lost between $27.3 and $40 million in early February following a private key compromise that gave attackers access to unstake and withdraw approximately 261,854 SOL, with the team subsequently announcing the shutdown of the core platform. Truebit lost $26.2 million in January through an integer overflow vulnerability that allowed attackers to manipulate the minting and burning of TRU tokens.
Infrastructure Is the New Target
What these incidents collectively point to is a structural shift in how DeFi is being attacked. Pure smart contract code exploits are no longer the dominant vector. Infrastructure-level attacks - private key theft, social engineering, and compromised frontends - accounted for approximately 76% of losses in early 2026. The Axios supply chain attack, where malicious versions of the widely-used npm package were published with hidden malware for system reconnaissance, illustrated how far outside the on-chain environment these threats have moved. AI-assisted phishing and so-called pig butchering scams have also scaled sharply, with some estimates pointing to a 500% increase in AI-enabled fraudulent outreach compared to the same period in 2025.
For KelpDAO specifically, the path forward will depend on whether the protocol can establish a credible recovery plan for affected rsETH holders and how Aave structures the absorption of its bad debt. Neither question has a clean answer yet.
#defi #Hack