hack

Yesterday, someone stole $293 million with $250 in gas fees. No zero-day vulnerability. No broken code. Just a mischecked box in a configuration file.

Let me explain.

THE TIMELINE
- April 18, 2026, 11:05 AM UTC.
An anonymous wallet receives 0.1 ETH from Tornado Cash. Cost: ~$250.
For 6 hours, nothing happens.
Then at 5:35 PM, this wallet executes ONE SINGLE function call on the Kelp DAO contract.
And 116,500 rsETH appear out of thin air.
Value: $293 million.

🔓 THE VULNERABILITY (explained simply)
Imagine a vault with 3 locks. Standard security practice says: "you need 2 out of 3 keys to open it." But Kelp DAO configured their LayerZero bridge differently: "1 key is enough."

That "key" was a DVN (Decentraized Verifier Network). ONE SINGLE validator.

Exact configuration:
→ requiredDVNCount: 1
→ optionalDVNCount: 0
The attacker compromised this single node, forged a fake cross-chain message saying "send 116k rsETH to this address," and the contract obeyed. This wasn't a code bug, it was a deployment misconfiguration.
Audits check code. Not always the config.

THE HEIST (in 46 minutes)

5:35 PM → Exploit: mint of 116,500 unbacked rsETH

5:36-5:42 PM → Distribution to 7 intermediate wallets:
- 53,000 rsETH → 0x1f4c1c
- 30,000 rsETH → 0xeba786
- 10,000 rsETH → 0xcbb24a
- 8,000 rsETH → 0x1b748b
- 6,000 rsETH → 0xbb6a60
- 5,000 rsETH → 0x8d11ae
- 4,500 rsETH → 0xe9e2f4

5:45-6:00 PM → Deposited as collateral on AAVE V3, Compound V3, AAVE Arbitrum

6:00 PM+ → Borrowed $236M in WETH against this "collateral"

6:15 PM → Consolidated to a single wallet

The problem?
These rsETH have ZERO real value. They're worthless. But the lending protocol oracles couldn't know that.

THE ATTACKER'S ADDRESSES

I traced the entire flow on-chain:

Main wallet (exploiter): 0x8B1b6c
→ Funded via Tornado Cash 0.1 ETH Pool
→ Executed the fraudulent lzReceive() call

Profit consolidation wallet:
ETH Millionaire 0x5d391: app.nansen.ai/profiler?addre…
→ Labeled "ETH Millionaire" by #NansenAI
→ Received $163M+ in borrowed ETH
→ Likely being mixed through Tornado Cash as we speak

Exploit transaction:
0x1ae232da212c45f35c1525f851e4c41d529bf18af862d9ce9fd40bf709db4222

THE IMPACT ON AAVE

$AAVE was NOT directly hacked but the protocol is now sitting on a $236M bad debt hole.
The rsETH used as collateral is now worth zero.
The WETH loans will never be repaid.
The positions are unliquidatable.

The numbers in 24h:
- $AAVE price: -22% over 7 days ($115 → $90)
- TVL: -16.78% ($21.96B)
- Exchange inflows: +$22.6M (16x normal average)
- Smart Trader outflows: -$248k
- Top PnL wallets outflows: -$2.4M

Emergency measures:
🔒 rsETH/wrsETH markets frozen on all V3/V4 instances
🔒 WETH frozen on Core, Prime, Arbitrum, Base, Mantle, Linea

WHO'S GOING TO PAY?
You, if you staked $aETHWETH on AAVE.

The Umbrella module will automatically take a portion of your stake to cover the losses.

How it works:
1. UmbrellaCore monitors bad debt on-chain
2. When threshold is exceeded → slash() is called automatically
3. Pro-rata burn of vault shares
4. No governance vote required, it's automatic

Withdrawal cooldown: 20 days. This isn't a bug. It's by design. You signed up for this in the terms.

HISTORICAL COMPARISON

This hack joins the podium of biggest bridge exploits:

🥇 Ronin (2022): $625M - 5/9 validator compromise
🥈 Wormhole (2022): $326M - Signature verification bug
🥉 Kelp DAO (2026): $293M - 1-of-1 DVN compromise
4️⃣ Nomad (2022): $190M - Merkle root flaw

Common pattern: trust assumptions on cross-chain validators.

Total bridge hacks since 2022: >$2.8 billion (~40% of all Web3 hacks).

MY TAKEAWAYS

1. A code audit ≠ a config audit. Kelp's code was audited. The 1-of-1 DVN configuration apparently wasn't.

2. One validator = one point of failure. Industry standard: minimum 2-of-3. Kelp: 1-of-1. It was a ticking time bomb.

3. LRTs as collateral = systemic risk. Liquid Restaking Tokens add layers of complexity that current oracles can't evaluate in real-time.

4. DeFi remains the Wild West. $293M stolen with $250 in gas. Attacker's ROI: 586,000,000%.

🔍 TO FOLLOW THE CASE

Wallet to monitor (fund consolidation):
0x5d3919f12bcc35c26eee5f8226a9bee90c257ccc

The funds are likely being mixed through Tornado Cash as you read this post.

This wasn't an AAVE hack, it was a hack of trust.
One mischecked box. A "default" config. $293M gone.

Welcome to DeFi.

If this post was useful, share it. More people need to understand that DeFi security isn't just about code.

And if you have $aWETH staked on AAVE... you know what to do.

#Hack #CyberSecurity #OnChainAnalysis

$AAVE