{"id":96331,"date":"2026-04-20T16:43:59","date_gmt":"2026-04-20T13:43:59","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=96331"},"modified":"2026-04-20T16:47:26","modified_gmt":"2026-04-20T13:47:26","slug":"no-safe-harbours-left-in-defi-lessons-from-aave-and-kelp","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/no-safe-harbours-left-in-defi-lessons-from-aave-and-kelp\/","title":{"rendered":"No safe harbours left in DeFi? Lessons from Aave and Kelp"},"content":{"rendered":"

For years, DeFi users would say: \u00abJust use Aave\u00bb<\/span>. A protocol with a TVL<\/span> above $26bn, dozens of audits and a finely tuned risk framework looked like a \u201csafe harbour\u201d. But on April 18th the project\u2019s long-standing reputation\u2014already dogged in recent months by various conflicts<\/a> and disagreements<\/a>\u2014took a heavy blow: hackers stole $293m from the liquid restaking protocol Kelp DAO and within a day users\u2019 funds on Aave were frozen.<\/p>\n

Here is how it happened, why Umbrella\u2019s $55m insurance may not suffice, and whether DeFi still has any safe places.<\/p>\n

How the hackers cracked Kelp DAO<\/h2>\n

On April 18th the attackers drained<\/a> 116,500 rsETH worth $293m via the cross-chain bridge<\/a> of Kelp DAO built on LayerZero. The attack is preliminarily linked to North Korea\u2019s TraderTraitor\u2014part of the Lazarus Group, behind the breaches of Bybit<\/a> ($1.5bn), Ronin<\/a> ($625m) and Drift Protocol<\/a> ($280m).<\/p>\n

The scheme was multi-stage. The hackers gained access to the list of RPC<\/span> servers used by LayerZero Labs\u2019 decentralised verified network (DVN). They then compromised two of them by installing modified versions of op-geth. In parallel they launched a DDoS attack on the \u201cclean\u201d servers so the system would fail over to the poisoned nodes.<\/p>\n

According to LayerZero\u2019s account<\/a>, the attackers compromised two RPC servers and spoofed the responses seen only by the verifier, concealing traces from monitoring systems. After the attack concluded, the malicious code self-destructed, deleting the logs.<\/p>\n

The key detail was Kelp\u2019s security configuration. The protocol used a 1\/1 DVN scheme\u2014 a single verifier with no redundancy. LayerZero had recommended that all integrators configure multiple DVNs, but Kelp ignored the advice. With multi-verification, the forged cross-chain message would not have cleared: independent DVNs would have rejected it.<\/p>\n

\n

\u201cExploitation of a single point of failure meant that an independent verifier could not intercept and reject the forgery. LayerZero and other parties had previously informed the project about best practices for DVN diversification. Despite the recommendations, Kelp chose a 1\/1 DVN scheme,\u201d \u2014 stressed LayerZero Labs.<\/em><\/p>\n<\/blockquote>\n

Dragonfly Capital partner Haseeb Qureshi noted<\/a> a contradiction in LayerZero\u2019s stance: the protocol washes its hands of responsibility even though the compromised DVN was operated by LayerZero Labs itself.<\/p>\n

The Kelp team responded 46 minutes after spotting suspicious activity. In that time the attackers deposited the stolen tokens on Aave v3 as collateral and borrowed wETH against them. On Aave alone they took roughly $196m; their total positions across Aave, Compound and Euler reached about $236m.<\/p>\n

How Aave was hit<\/h2>\n

Within two days the TVL of the largest lending protocol plunged<\/a> from $26.3bn to $17.7bn\u2014investors withdrew more than $8.6bn. The AAVE token fell 15% to $91. Its market capitalisation slid from $1.8bn to $1.3bn.<\/p>\n

\"image\"
Data: DefiLlama<\/a>.<\/figcaption><\/figure>\n

The USDT<\/a> and USDC<\/a> pools on Aave v3 were completely exhausted. Around $5.1bn of assets were temporarily locked\u2014withdrawals are possible only after fresh liquidity arrives or loans are repaid. rsETH markets were frozen in v3 and v4. wETH reserves were locked on Ethereum, Arbitrum<\/a>, Base<\/a>, Mantle and Linea.<\/p>\n

The freeze triggered a cascade. Users with stuck USDT deposits began borrowing against them in other pools\u2014borrowing against USDT collateral rose by $300m in a day. That pushed utilisation on USDC and USDe markets to 100%.<\/p>\n

\n
\n
\n

we’re now seeing some negative secondary effects of illiquidity in Aave stablecoin markets (in this example, Aave Core USDT on Ethereum)<\/p>\n

because users cant withdraw due to 100% utilization, there has been a ~$300 million increase in borrowing with USDT collateral in just the\u2026 pic.twitter.com\/ReGjGaIqAh<\/a><\/p>\n

\u2014 monetsupply.eth (@MonetSupply) April 19, 2026<\/a><\/p><\/blockquote>\n