Gate News message, April 19 — On April 18 at 17:35 UTC, an attacker exploited a vulnerability in Kelp DAO’s LayerZero-powered cross-chain bridge, releasing 116,500 rsETH (approximately $293 million and roughly 18% of the token’s circulating supply) to an attacker-controlled wallet without corresponding ETH being locked. The attacker then deposited the unbacked rsETH into Aave V3 and V4 as collateral, borrowing real wrapped ether (WETH) against it. By the time Kelp’s emergency multisig froze the protocol 46 minutes later, the WETH had been withdrawn.
The bridge vulnerability allowed the attacker to submit a crafted message that passed verification checks despite no actual deposit on the source chain. Two follow-up attempts at 18:26 and 18:28 UTC to drain an additional 40,000 rsETH each were reverted after the pause was activated.
Aave now carries between $177 million and $236 million in bad debt, concentrated in the rsETH/WETH pair on Ethereum. The platform’s total value locked (TVL) dropped approximately $6 billion, WETH market utilization hit 100% (preventing further withdrawals), and AAVE token declined over 18%. Aave’s Umbrella insurance fund holds about $50 million, leaving a significant gap. The borrow positions are effectively unliquidatable as rsETH collateral cannot be redeemed and will not trade near peg once the unbacked supply is fully recognized.
SparkLend, Fluid, and Upshift paused or froze rsETH within hours; Morpho’s isolated market architecture limited exposure to approximately $1 million across two markets. rsETH across 20-plus chains now faces backing uncertainty until Kelp publishes a reconciliation of reserves against outstanding supply. This exploit marks the largest DeFi incident of 2026, with cumulative DeFi losses for the year reaching between $450 million and $482 million across roughly 45 protocols.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Address Linked to Avi Eisenberg Shows New On-Chain Activity, Raising Security Concerns
Gate News message, April 26 — Blockchain analytics platform Arkham has identified renewed on-chain activity from an address believed to be connected to Avi Eisenberg, the attacker who profited approximately $110 million from the 2022 Mango Markets exploit. Eisenberg was previously sentenced to
GateNews1h ago
Sui DeFi lending protocol Scallop is hacked, with a vulnerability in the old contract leading to 150k SUI stolen
Scallop was attacked on the Sui chain, and the side contract involved led to the sSUI rewards pool being exploited. Approximately 150k SUI were stolen. The core contract is secure, and deposits and withdrawals have been restored. The official statement applies only to the deprecated rewards contract; users’ funds were not affected. Former NEAR developer Vadim said the vulnerability originated from an outdated V2 package from 17 months ago, where not initializing last_index caused rewards to accumulate starting in 2023. The fix requires adding a version field to the shared object and strengthening version checks to prevent risks caused by outdated packages.
ChainNewsAbmedia1h ago
Scallop Discovers sSUI Reward Pool Vulnerability, Suffers 150K SUI Loss but Pledges Full Reimbursement
Gate News message, April 26 — Scallop, a lending protocol in the Sui ecosystem, announced the discovery of a vulnerability in an auxiliary contract associated with its sSUI reward pool, resulting in a loss of approximately 150,000 SUI. The affected contract has been frozen, and Scallop confirmed
GateNews6h ago
Litecoin Undergoes Deep Chain Reorganization After MWEB Privacy Layer Zero-Day Exploit
Gate News message, April 26 — Litecoin experienced a deep chain reorganization on Saturday (April 26) after attackers exploited a zero-day vulnerability in its MimbleWimble Extension Block (MWEB) privacy layer, according to the Litecoin Foundation. The reorg spanned blocks 3,095,930 to 3,095,943 and
GateNews7h ago
Litecoin Sees First Privacy Layer Hack: MWEB Zero-Day Vulnerability Triggered 13-Block Reorganization
According to The Block, the Litecoin Foundation confirmed that the MWEB privacy layer suffered a zero-day vulnerability. The attacker used older nodes to make forged MWEB transactions appear valid, causing a rollback of 13 blocks on the main chain (about 3 hours), and performing double-spends against cross-chain exchanges; NEAR Intents exposed about $600k, and the mining pool was also hit with a DoS. A patched version has been released—please upgrade immediately. Main-chain balances are not affected, but it highlights the trade-off between reducing observability and increasing detection difficulty for the privacy layer.
ChainNewsAbmedia9h ago
Aave, Kelp, LayerZero Seek $71M Frozen ETH Release from Arbitrum DAO
Aave Labs, Kelp DAO, LayerZero, EtherFi, and Compound filed a Constitutional AIP on the Arbitrum forum Saturday morning requesting the network's DAO release approximately $71 million in frozen ETH to support rsETH recovery efforts following last week's $292 million Kelp DAO exploit. The proposal
CryptoFrontier10h ago
