DeFi stole $292 million again, and it's not even safe for Aave

Original Odaily Daily@OdailyChinaI'm not sure

By Azuma@azuma ethI'm not sure

On April 19th, Beijing time, DeFi was hit again with security damage。

The data on the chain shows thatAround 1:35 a.m. this morning, Kelp DAO, the second-largest mobile pledge agreement based on Layer Zero's rsETH bridge contract, was suspected to have been used by hackers to lose 116,500 rsETHs, valued at approximately $292 million。

Continues to record on the trail that the assailant ' s address received the initial funds of 1 ETH from Tornado Cash about 10 hours before the incident, and then the address called the lzReceive function of the LayerZero Endpoint V2 contract, which triggered Kelp ' s bridge contract, transferring 116,500 rsETH to another attacker ' s address。

About two and a half hours after the incident, Kelp DAO official confirmed the attack on X: “As early today, we discovered suspicious cross-chain activity involving rsETH. During the investigation, we suspended the main network and several rsETH contracts on Layer2. Our auditors are closely following the matter in cooperation with the security experts of Layer Zero, Unichan. We will follow up with an update, with attention to official channels.”

Following the incident, the DeFi project and security agencies analysed the causes of the incident. D2 Finance was repeatedly quoted in the analysis of the community - LayerZero Scan marked the source-to-end as Kelp DAO, which means that the message came from Kelp's own legally deployed reciprocal contract, and the path was previously documented by 308 messages nonce. SoThe root cause of the attack was “the broken source chain private key”。

The TinyHumans AI developer Steven Enamakel added that the contract was secured only by a 1/1 pool of certifiers (DVN), which meant that a single wrong transaction by the certifier was sufficient to trigger the problem。

Hacker borrowing, aave

Owing to the limited mobility of rsETH's own transactions, hackers have chosen the exit strategy to borrow loan agreements such as Aave, mortgage rsETH and lend better liquidity to transactions。

Peck Shield Alert monitoring shows that, as of 4.30 a.m. this morning, the hacker addresses had deposited stolen rsETH into loan agreements such as Aave V3, Compund V3, Euler, and borrowed a large amount of WETH, with a total debt of over $236 million - of which $196 million was owed on one platform in Aave alone, US$ 39.4 million in Compund and US$ 84 million in Euler。

After the incident, Aave blocked the rsETH market on Aave V3 and V4, and the team subsequently issued an official statement in X, stating: “Aave's contract was not attacked, and the attack related to rsETH. The rsETH freeze is intended to prevent new rsETH deposits and mortgage borrowing during the assessment of the situation. We're reviewing rsETH borrowing information after the attack on Aave and will share more details as soon as possible."

Shortly after the issuance of the initial statement, Aave updated the development by adding at the end the following sentence:If the agreement accumulates bad debts as a result of this event, we will explore ways to cover the deficit。It's not the same

As of the date of communicationThe exact amount of bad debts caused by this incident is not knownI don't know。

Aave's direct competitor, Spark's strategy manager, monetsupply.eth, states that if rs ETH shows a discount of 19 per cent (19 per cent of the total supply of rsETH), Aave could generate bad debts of over $100 million because of the high leverage of revolving borrowing。

However, Marc Zeller, founder of Aave Chan Environmental Governance (ACI), who announced that he would withdraw from Aave in July because of his governance differences, made a different point. Zeller advised the user to remove WETH from Aave V3 as soon as possible to avoid losses and confirm that the USDC and USDT markets on Aave are unaffectedIn response to another user's speculation that “bad debts could reach hundreds of millions”, he said: “a lot smaller than that figure”

But Marc Zeller also mentioned that it is time to test Umbrella in a real production environment. Umbrella, the automated security module for Aave, is simply a pool of bad debts to which users can deposit assets in order to obtain higher incentives, but where the agreement is bad, the pool also bears potential losses。

Aave's agreement data shows that there is a lack of information about the situationAt present, Umbrella has about $50 million worth of WETH available to deal with potential bad debts from this event, but it is not yet certain that it will be enough to fill the holes。

AS A RESULT OF THE INCIDENT, THE AAVE SHORT LINE DROPPED BY NEARLY 10 PER CENT, AS OF THE TIME OF THE INTERIM REPORT, 104.6 USDT。

Another billion-degree security incident in April

This is not the first massive security incident this month。

As early as 1 April, the Solana Eco- Derivatives Trading Agreement was attacked by Drift Protocol, with a loss of up to $280 millionFool's Day joke? Case)。

Later, Drift Protocol dumped the stolen pot directly to “DPRK hackers”, but fortunately, institutions such as Tether had committed $147.5 million to be paid by the users, who had at least some hope for compensation。

Just over a dozen days later, another large-scale hacker incident broke out, and how do we end this time

DeFi, is there somewhere safe

The security of DeFi is on the rise。

On the one hand, there are persistent hacker incidents and on the other hand, there are continuing security threats from AI and MythosOdaily interview cosine: how does the leak of the new Anthropic nuclear bomb-grade model affect encrypted security) For DeFi users, the previous response was to bring together funds to the extent possible for a fully audited and brand-reputable headline agreement, but today, it’s a good time to be able to do soEven the top-level protocol, like Aave, which is extremely problematic in a dispersed consciousness, is indirectly affected, and where can users move money

In terms of individuals, it is true that users are not strongly advised to keep large amounts of money in the chain at this time, and if there is a real need, it is important that the warehouse be spread and isolated。

As of the date of the communication, more details about the incident remain unclear and Odaily will follow up on the progress of the incident on an ongoing basis。