News linked to this event type.
Odaily News Lido posted on platform X stating that on April 18th, the Kelp cross-chain bridge was attacked, resulting in the theft of approximately 116,500 rsETH (worth about $292 million). Subsequently, the related assets were frozen on lending markets such as Aave.Its treasury product EarnETH has approximately a 9% risk exposure (about $21.6 million) through leveraged rsETH/ETH positions on Aave. Meanwhile, rising borrowing utilization is creating cost pressure on other strategies. The team is advancing deleveraging and reducing overall risk.Lido pointed out that the final impact of the rsETH positions depends on the subsequent handling by Kelp, LayerZero, and Aave, including loss sharing, asset recovery, and bad debt processing.Regarding risk mitigation, EarnETH can, if necessary, activate a $3 million "first-loss protection mechanism" (provided by the DAO treasury) to cover losses. The specific scale of its use is still pending further evaluation. Currently, the treasury has suspended deposits and withdrawals to ensure fairness and complete loss assessment. If the handling process is slow, redemption channels may be reopened based on the worst-case loss expectations.The official emphasized that stETH and wstETH are unaffected, and the core staking protocol was not involved in this incident.
According to an official Lido tweet, on April 18, 2026, attackers stole 116,500 rsETH (approximately $292 million) from the Kelp cross-chain bridge. Lending platforms including Aave subsequently froze the rsETH market. Lido’s EarnETH treasury holds approximately 9% exposure to rsETH (roughly $21.6 million) via leveraged positions on Aave; deposits and withdrawals are currently suspended. The EarnETH team is actively reducing leverage and mitigating risk; the final loss amount will depend on subsequent decisions by Kelp, LayerZero, and Aave. The Lido DAO treasury has a $3 million “first-loss protection mechanism,” which may be activated—via burning DAO treasury shares—as needed. Lido’s core staking protocol, as well as stETH and wstETH, remain unaffected by this incident.
According to CoinDesk, Kelp DAO will dispute LayerZero’s explanation of the $290 million rsETH cross-chain bridge vulnerability, stating that the compromised single-validator configuration relied on LayerZero’s own infrastructure and that this setup was part of LayerZero’s default integration—rather than a custom choice by Kelp DAO violating recommended practices. The attacker stole approximately 116,500 rsETH by compromising the servers LayerZero used to verify cross-chain transactions and disrupting its fallback nodes. Kelp DAO emphasized that the incident affected only the LayerZero-based bridging layer, leaving its core liquidity re-staking contracts unimpacted. LayerZero subsequently responded by announcing it would cease signing messages for any applications using a single-validator configuration and would mandate secure migration.
According to DL News, Russian cryptocurrency exchange Grinex announced last Wednesday that it would cease operations after suffering a cyberattack that resulted in the theft of over 1 billion rubles—approximately $13 million. The report states that Grinex had processed nearly $100 billion in trading volume for the sanctioned stablecoin A7A5 in 2025. Its shutdown is expected to weaken Russian companies’ ability to convert rubles into usable international currencies and deliver a severe blow to Russia’s shadow financial system designed to circumvent sanctions. Grinex was viewed as the successor to Garantex, which had previously been sanctioned and shut down. Both Grinex and Old Vector—the issuer of A7A5—were sanctioned in August 2025 by the United States, the European Union, and the United Kingdom.
According to an official announcement, in response to the security incident involving the frontend platform Vercel and related supply-chain security risks, Binance’s security team immediately initiated an emergency response, conducted a comprehensive risk assessment across all frontend products within the Binance ecosystem, and directly contacted Vercel to verify each point individually. Binance stated that its platform and user assets are not affected by this incident.
According to an official announcement, in response to the recent Vercel platform security incident, Jupiter (@JupiterExchange) stated that it has received no notifications or indications of impact, and its jup.ag frontend does not store any sensitive information. Jupiter has proactively implemented all security measures recommended by Vercel, completed rotation of all keys, and conducted a comprehensive review of system logs—no suspicious activity was found. Monitoring remains ongoing.
According to monetsupply.eth, Spark’s Strategy Lead, in a post on X, Spark has long maintained a relatively high borrowing interest rate cap for its SparkLend ETH market. Although this policy caused many users to migrate to Aave—resulting in substantial loss of business and revenue—the current market liquidity crisis has validated the prudence of this strategy. Presently, Aave is experiencing severe liquidity shortages across multiple chains—including Ethereum Mainnet, Arbitrum, Polygon Plasma, Mantle, and Base—with ETH borrowing utilization reaching 100%. This has prevented depositors from withdrawing funds and hindered normal liquidation of ETH collateral. He warns that if the current liquidity crunch persists, a 15–20% drop in ETH’s price could expose Aave to widespread bad debt—compounded by the potential impact of the rsETH vulnerability incident.
According to an analysis by SlowMist founder Yu Xian (@evilcos), the core of the recent KelpDAO hack—resulting in approximately $290 million stolen—was a targeted poisoning attack against the downstream RPC infrastructure of LayerZero’s DVN (Decentralized Validator Network). The specific attack steps were as follows: First, the attackers obtained the list of RPC nodes used by LayerZero’s DVN; second, they compromised two independent RPC clusters and replaced their op-geth binary files; third, using selective spoofing techniques, they returned forged malicious payloads exclusively to the DVN while serving legitimate data to all other IPs; fourth, they launched DDoS attacks against uncompromised RPC nodes, forcing the DVN to fail over to the poisoned nodes; finally, after the forged messages were validated, the malicious binary self-destructed and erased its logs. As a result, LayerZero’s DVN signed validations for transactions that “never occurred.”
Currently, the LayerZero Labs DVN has resumed operations and announced that it will no longer sign or verify messages for applications still using the 1/1 configuration. LayerZero has collaborated with multiple law enforcement agencies worldwide and is actively assisting in tracking the stolen funds.
According to on-chain analytics platform Lookonchain (@lookonchain), an OTC whale previously purchased 163,405 ETH (approximately $440 million) and 4,000 cbBTC (approximately $296 million). Due to the KelpDAO rsETH cross-chain bridge vulnerability, this whale was unable to withdraw ETH normally from Aave and was forced to discount-swap 7,438 aEthWETH (approximately $16.83 million) for 1,930 stETH and 5,272 ETH, incurring a loss of approximately 237 ETH (about $540,000). The whale has since withdrawn 98,032 wstETH (approximately $272 million) and 3,000 cbBTC (approximately $221.6 million) from Aave, leaving 10,000 ETH (approximately $22.8 million) still deposited in Aave.
Odaily News France has become a hotspot for wrench attacks, with at least 41 cryptocurrency-related kidnappings and home invasions reported this year, averaging one incident every 2.5 days. Jean-Didier Berger, the Deputy Minister of the Interior, stated that a series of new measures are being prepared with Interior Minister Laurent Nuñez to address this issue.A wrench attack refers to the use of physical violence to force victims to transfer crypto assets. Data from Certik and Jameson Lopp shows that globally, there were 72 verified cases of physical coercion in 2025, a 75% year-on-year increase, with cases involving physical assaults rising by 250%. Ledger co-founder David Balland was kidnapped in France in January 2025. Security researchers point out that attackers are shifting from targeting wallets to hunting individuals, using social media and leaked data to identify targets. Due to the irreversible nature of crypto transactions, attackers often convert illicit proceeds into stablecoins and transfer them across chains to evade tracking. Experts recommend using tools such as multi-signature wallets, withdrawal delays, and spending limits to reduce the risk of attack.
According to official news, the Polygon team has been actively monitoring the rsETH vulnerability: neither the Polygon Chain, Agglayer, nor the broader ecosystem including Katana and Vaultbridge have been affected by this incident.
According to a post by 0xngmi, founder of DefiLlama, following the hack of KelpDAO, Aave is facing severe pressure in handling bad debt. Currently, there are three potential solutions: First, socializing the loss across all users—this would result in an 18.5% impairment for users, generating approximately $216 million in bad debt. Aave’s Umbrella Insurance could cover $55 million, and the treasury could contribute an additional $85 million, leaving a shortfall of roughly $76 million. Second, executing a “rug pull” on rsETH holders on L2 chains—this would generate approximately $341 million in bad debt, with Arbitrum, Mantle, and Base markets suffering the heaviest losses. Third, returning assets to holders based on a pre-attack snapshot—but this approach is extremely operationally challenging, and even after Umbrella Insurance coverage, an estimated $91 million in losses would remain. Additionally, some suggest confiscating the hacker’s collateral to offset part of the bad debt. Meanwhile, Aave’s OG Security Module still holds approximately $300 million worth of AAVE tokens; applying a 20% reduction would provide an additional ~$60 million in loss coverage.
Odaily News: A LayerZero cross-chain bridge related to Kelp DAO was hacked on Saturday, resulting in 116,500 rsETH worth $291 million flowing to a new wallet. The hacker used the illicitly obtained rsETH as collateral to borrow on Aave, causing the utilization rate of Aave's core lending pool to reach 100% and triggering a liquidity crunch. According to monitoring by 0xngmi, as of early Sunday, the net withdrawal amount from Aave had reached $6.2 billion. Kelp DAO has suspended the rsETH contracts on the Ethereum mainnet and several L2 networks. Affected by this, the price of the Aave token fell 16% to $90.13, and the price of Ethereum dropped 2% to $2,300. Currently, Justin Sun has posted on platform X attempting to negotiate with the hacker.
According to an official announcement by Orca, Vercel—the frontend hosting provider for Solana’s liquidity protocol Orca—recently experienced a security incident involving unauthorized access to its internal systems. Orca stated that, as a precautionary security measure, it has proactively rotated all keys and deployment credentials potentially compromised in the incident. Orca emphasized that this incident affected only the frontend hosting layer; the on-chain protocol and user funds remain unaffected. The team is currently monitoring the situation closely and will provide timely updates.
According to an official announcement from Curve Finance, due to a hacker attack on the rsETH LayerZero infrastructure, Curve Finance has suspended its LayerZero infrastructure for security reasons, pending further investigation into the root cause before resuming operations. This suspension affects the following: cross-chain bridging of CRV tokens from BNB Chain, Sonic, Avalanche, Fantom, Etherlink, and Kava (chains using native bridges remain unaffected), as well as the crvUSD fast bridge functionality (the L2 slow bridge remains fully operational). Meanwhile, KelpDAO is also reported to have suffered a vulnerability exploit involving approximately $291 million; the exact extent of losses is still under investigation.
23pds, Chief Information Security Officer of SlowMist Technology, retweeted: “The unauthorized access to Vercel’s internal systems appears linked to an internal data leak.” The related tweet states that someone claiming to be “ShinyHunters” on BreachForums is offering for sale—reportedly for $2 million—a purported Vercel internal database, access keys, source code, employee accounts, API keys, NPM tokens, and GitHub tokens. The data allegedly pertains to Vercel’s internal Linear system and internal user management system. Earlier reports indicated that Vercel, a cloud hosting platform, disclosed unauthorized access to its internal systems, affecting a small number of customers.
According to an official announcement, cloud hosting platform Vercel confirmed a security incident involving unauthorized access to certain internal systems. At present, only a small number of customers have been confirmed affected, and Vercel is directly communicating with those customers. Vercel stated that its services remain fully operational; it has launched an investigation, engaged incident response experts to assist with remediation, and notified law enforcement authorities. Vercel recommends that all customers review their environment variables and use the sensitive environment variables feature to strengthen security protections.
According to an official announcement, Curve Finance has suspended its LayerZero infrastructure as a precautionary measure following a hacker attack on rsETH’s LayerZero infrastructure, pending further investigation into the root cause. This adjustment affects cross-chain CRV bridging initiated from chains including BNB, Sonic, Avalanche, Fantom, Etherlink, and Kava; bridging from other chains remains unaffected and continues to use native bridges. Additionally, the crvUSD fast bridge is impacted, while the slower bridge to L2s remains fully operational.
Liquid Capital founder Yi Lihua posted on X, stating that preserving principal is crucial during bear markets. He pointed out that on-chain theft incidents occur frequently, and ignoring risks solely to chase a few percentage points of returns could result in principal loss. JackYi emphasized that all investments carry risk—including holding funds on exchanges or participating in wealth management products and mining. He stressed that the top priority right now is setting take-profit and stop-loss levels, and proactively planning contingency measures for worst-case scenarios to avoid losing principal before the bull market arrives.