News linked to both this project and an event.
in April this year, KelpDAO's LayerZero bridge was exploited in a $292 million vulnerability attack, triggering an $8.45 billion deposit run on Aave within 48 hours, marking the largest capital outflow event in decentralized finance (DeFi) history. Aave founder Stani Kulechov stated that the design of Aave V3 withstood the market test, demonstrating the network's "resilience." However, independent data indicates that Aave's survival primarily relied on $300 million in emergency rescue, including a 25,000 ETH guarantee from the Aave DAO and a personal injection of 5,000 ETH (approximately $8.4 million) by Kulechov.Kulechov attributed the vulnerability to third-party infrastructure rather than core smart contracts. However, analysts pointed out that this incident exposed deficiencies in Aave's risk architecture and insurance mechanisms, leading the platform to incur significant bad debt (approximately $123.7 million in wETH). To prevent future bridge failures from triggering systemic bank runs, Aave V4 will adopt a modular "hub-and-spoke" architecture, enabling local risk auto-adjustment and collateral freezing. (CoinDesk)
multiple blockchain and post-quantum cryptography researchers have warned that artificial intelligence (AI) is accelerating the development of quantum computing and could potentially impact the security systems of mainstream blockchains, including Bitcoin and Ethereum, earlier than anticipated.Alex Pruden, CEO of Project Eleven, a firm focused on quantum-resistant infrastructure, stated that the combination of AI and quantum computing is fundamentally reshaping the future security landscape. "People will no longer be able to rely on existing security assumptions as they have in the past," he said.Researchers point out that AI is already being used to optimize quantum error correction, which is one of the key technical bottlenecks in the development of quantum computing. Illia Polosukhin also noted that AI has been accelerating scientific breakthroughs for years, and in the future, there may even be a circular acceleration effect where "AI helps build the next generation of quantum computers."One of the industry's biggest current concerns is the "Harvest Now, Decrypt Later" strategy, where governments or advanced attackers begin mass-collecting encrypted data now, waiting to decrypt it all at once once quantum computing matures. Polosukhin warned that if quantum computers become viable within a few years, "most of today's important data on the internet could be decrypted in the future."Given that most blockchain networks and internet infrastructure currently rely on elliptic curve cryptography (ECC), a sufficiently powerful quantum computer could theoretically derive a private key from a public key, directly breaking wallets and on-chain systems. Simultaneously, AI itself is strengthening hacking capabilities. Pruden stated that AI models are becoming increasingly adept at discovering software vulnerabilities and cryptography implementation flaws, and may even be able to crack some encryption algorithms directly in the future.However, AI is also being used by developers for code auditing, formal verification, and testing post-quantum security systems, creating a "long-term security arms race" with simultaneous upgrades on both the offensive and defensive sides. Researchers believe the most significant change brought by AI and quantum computing together is that the core assumption of "long-term cryptographic reliability" in the digital age is being challenged. Future security systems may shift from "static upgrades" to continuous dynamic evolution. (CoinDesk)
According to CoinDesk, the total value locked (TVL) in ETH lending protocols has declined from a year-to-date high of $32 billion to $23 billion—a drop of approximately 28%. The oracle vulnerability incident involving KelpDAO triggered a market confidence crisis, and combined with overall bearish market sentiment, led to roughly $9 billion in outflows from the DeFi lending sector.
According to CoinDesk, Simone Maini, CEO of blockchain analytics firm Elliptic, stated that the biggest emerging risk to crypto security is not larger-scale hacking attacks, but rather AI-driven financial activity operating at a speed and scale that human compliance teams cannot keep up with. As AI lowers the barriers to hacking, scams, and fraud, security firms like Elliptic are responding by deploying AI agents to analyze on-chain data in real time—sparking an automated arms race between adversaries and defenders. Maini noted that current compliance systems remain heavily reliant on manual review, and the global pool of compliance analysts specializing in digital assets is simply insufficient to meet future demand. Elliptic has raised $120 million in funding—including from Nasdaq and Deutsche Bank—to build an “agent-based compliance system” that leverages AI to automate transaction monitoring and investigation workflows, thereby reducing the cost per alert and per investigation.
following the $292 million exploit of Kelp DAO's LayerZero bridge, the security of cross-chain infrastructure has once again come under scrutiny. DeFi protocols Kelp DAO, Solv Protocol, Re, and crypto exchange Kraken have all taken similar migration measures, with the total value of this outflow reaching approximately $4 billion.Decentralized finance protocol Lombard has become the latest project to join the migration wave, announcing a gradual phase-out of LayerZero and the migration of over $1 billion in Bitcoin collateral assets to Chainlink's Cross-Chain Interoperability Protocol (CCIP). Bitcoin-related tokens issued by Lombard include LBTC and BTC.b. It is reported that Lombard's initial migration assets cover the Solana, Etherlink, Berachain, Corn, and TAC chains, while the use of LayerZero on Morph and Swell will also be terminated. As of now, LayerZero has not responded to requests for comment. (CoinDesk)
According to CoinDesk, the floor price of Bored Ape Yacht Club (BAYC) NFTs has risen from approximately 5 ETH to over 10 ETH in the past month, while ApeCoin (APE) rebounded from below $0.10 to around $0.16 during the same period, with trading volume notably expanding. Meanwhile, repeated security vulnerabilities and persistently declining yields in the DeFi sector have driven some capital toward the NFT market. The financialization trend of NFTs is also intensifying: a recent $2.8 million loan collateralized by a CryptoPunk attracted widespread attention, with the lender expected to earn roughly $138,000 in interest over 90 days. Blue-chip collections such as Pudgy Penguins have also strengthened concurrently, and market expectations surrounding a potential token launch by OpenSea have further boosted sentiment.
Odaily News: Margaret Garnett, a U.S. District Judge in Manhattan, has approved Aave's asset recovery proposal, allowing the transfer of approximately $71 million in ETH previously frozen on Arbitrum and linked to North Korean-linked attacks, to a wallet controlled by Aave LLC, while preserving the legal claims of terrorism victim plaintiffs over the funds. The ruling also amended the earlier freeze notice against the Arbitrum DAO, permitting the transfer to be executed through an on-chain governance vote and exempting those who propose, vote on, or participate in the transfer from liability under the freeze order. The transfer is still subject to an official vote by Arbitrum's on-chain governance. (CoinDesk)
According to CoinDesk, at the “Perp DEX Explosion: Bullish Volumes and Bear Market Resilience” panel at Consensus Miami, several industry insiders stated that institutional investors are still largely avoiding decentralized exchanges offering perpetual futures (Perp DEXs). Veteran trader Wizard of SoHo pointed out that Drift’s recent multi-million-dollar hack highlights security vulnerabilities in the DeFi ecosystem, making secure onboarding of institutional capital a core competitive focus for major Perp DEXs. Anderson of Canary Labs expressed concern about DeFi’s current security posture, noting that large institutions face significantly greater challenges adopting decentralized exchanges compared to centralized platforms. Additionally, the structural tension between DeFi’s permissionless, open design and institutions’ stringent KYC compliance requirements is seen as a key barrier to scaling adoption. Michaël van de Poppe, founder of MN Fund, shared his views on AI-powered trading tools, stating that AI agents represent an evolutionary extension of algorithmic trading—and that trading will increasingly become fully automated.
According to CoinDesk, Ethereum co-founder Vitalik Buterin was sandwiched by the well-known MEV bot jaredfromsubway.eth on April 30 during a small token swap. On-chain data shows that Buterin exchanged 26,544 XDB tokens—valued at approximately $3.86—for 0.00197 ETH (worth about $4.56) in block 24993038. The bot then deployed roughly $1.14 million worth of WETH to manipulate prices across SushiSwap and Uniswap V2 to execute the sandwich attack. After deducting $5.14 in gas fees, the bot incurred an actual loss on this operation.
Solv Protocol has announced the migration of over $700 million in tokenized Bitcoin assets to Chainlink's cross-chain protocol CCIP, and will gradually phase out LayerZero's bridging support across multiple chains. The migration involves core assets such as SolvBTC and xSolvBTC. Solv stated that the decision is based on the latest security reviews and recent cross-chain security incidents, and CCIP will become its standard cross-chain infrastructure. This move follows Kelp DAO's migration of approximately $290 million in assets to Chainlink, further strengthening the trend of "cross-chain infrastructure shifting toward security-first migration." (CoinDesk)
Linda Jeng, Chief Legal and Policy Officer at Aave Labs, stated during Consensus Miami 2026 that Aave's previous risk framework overly focused on financial risks and price volatility. Looking ahead, the protocol will incorporate assessments of cross-chain interoperability, cybersecurity vulnerabilities, and underlying asset architecture.This reform directly stems from the rsETH incident that occurred in April. At that time, an attacker exploited a vulnerability in the KelpDAO cross-chain bridge to mint approximately 116,500 unbacked rsETH (valued at around $293 million), deposited it as collateral into Aave, and borrowed real WETH, leading to significant bad debt risks for the protocol.Jeng revealed that Aave will also release a formal "listing standards handbook" for asset issuers in the future, and will begin evaluating the correlation between DeFi protocols from a systemic risk perspective, rather than analyzing individual pools in isolation.Additionally, a "DeFi United" bailout plan involving Lido Finance, EtherFi, Ethena, and others has been launched to cover collateral shortfalls and prevent further proliferation of bad debt. (CoinDesk)
According to CoinDesk, Angus Fletcher, Head of Digital Assets at State Street, stated at Consensus Miami that recent DeFi attack incidents highlight traditional financial institutions’ need for blockchain asset security and risk management frameworks. He emphasized that before trillions of dollars worth of real-world assets (RWAs) are tokenized, the industry must urgently address cross-chain interoperability, legal ownership, and security safeguards.
According to Odaily, Drift Protocol has released a user recovery plan for the approximately $295 million security vulnerability incident on April 1, which was attributed to a North Korean-backed hacker group. Under the plan, Drift will issue receipt tokens representing users' verified losses, with each token corresponding to $1 in losses, allowing holders to gradually redeem based on the recovery pool's funding size.Currently, the recovery pool has initial funding of approximately $3.8 million. Subsequent funding sources include up to $127.5 million from exchange revenue, Tether-backed funds, and up to $20 million from partner contributions, aiming to cover total losses of approximately $295.4 million. Drift has frozen approximately $3.36 million in USDC and has established a public bounty program offering 10% of recovered assets. It is expected to relaunch the exchange in a "security-first" model during the second quarter. (CoinDesk)
According to CoinDesk, Ripple announced on Monday that it will share its internal intelligence on North Korean hackers with Crypto ISAC, a threat intelligence-sharing organization for the cryptocurrency industry, to help businesses identify coordinated intrusion campaigns. This move comes amid a recent shift in attack patterns targeting the cryptocurrency sector. The April theft of $285 million from the Drift protocol was not a traditional smart-contract vulnerability exploit; instead, North Korean hackers spent months building relationships with Drift contributors and installing malware on their devices before stealing private keys. Ripple stated: “The strongest crypto security posture is a shared one. A threat actor rejected by one company after background screening may submit resumes to three other companies the same week. Without shared intelligence, each company starts from scratch.”
North Korean spies spent months conducting multiple in-person meetings with Drift Protocol employees before executing one of the largest social engineering attacks against a crypto protocol, stealing $285 million. According to TRM Labs data, losses attributed to North Korean hackers accounted for 76% of total crypto hack losses in 2026. (CoinDesk)
According to CoinDesk, while quantum computers cannot break Bitcoin’s mining mechanism or blockchain ledger, they could potentially crack the elliptic curve cryptography (ECC) that secures wallet ownership—using Shor’s algorithm. Currently, approximately 6.9 million BTC—roughly one-third of the total supply—are at potential risk because their public keys are already visible on-chain; this includes Satoshi Nakamoto’s estimated early holdings of about 1 million BTC. Transactions generated after Ethereum’s 2021 Taproot upgrade are similarly exposed due to public key disclosure. Ethereum has maintained an official post-quantum migration plan since 2018, with four full-time teams and over ten independent development groups, and operates a dedicated progress website at pq.ethereum.org. In contrast, Bitcoin currently lacks a unified roadmap for quantum resistance: existing proposals such as BIP-360 and BitMEX Research’s detection framework have not gained broad support among core developers. Prominent Bitcoin advocate Nic Carter has bluntly labeled Bitcoin’s quantum response “the worst,” while Blockstream CEO Adam Back acknowledges that current quantum systems remain confined to laboratory settings—but still endorses deploying optional upgrade paths in advance. Analysts note that Bitcoin’s decentralized governance culture makes coordinating large-scale security upgrades extremely difficult, and resolving historical issues—such as how to handle Satoshi’s holdings—presents a particularly thorny dilemma. A related Google paper warns that once quantum attacks become feasible, the window for effective response may already have closed.
According to CoinDesk, the North Korean hacking group Lazarus Group has launched a new macOS-targeted campaign dubbed “Mach-O Man,” aimed at executives and institutions within high-value sectors such as cryptocurrency and fintech. The attack employs a social engineering technique called “ClickFix” to trick victims into pasting commands into their Mac Terminal, thereby granting attackers access to corporate systems, SaaS platforms, and financial resources. CertiK researchers stated that “Mach-O Man” is a modular macOS malware toolkit developed by Lazarus Group, now also adopted by other cybercriminal groups. It often self-deletes before victims detect it, complicating attribution and detection. Additionally, attackers have already carried out this campaign by hijacking DeFi project domains and replacing legitimate Cloudflare messages with fake ones.
Odaily News Wall Street investment bank Jefferies' analysis indicates that the approximately $293 million attack on Kelp DAO on April 18 exposed critical infrastructure risks, which may prompt traditional financial institutions to reassess the pace of blockchain and tokenization advancement.Jefferies believes the attacker triggered market sell-offs and liquidity stress by minting unbacked tokens and borrowing across platforms. The incident is suspected to be potentially linked to the Lazarus Group and also highlights the single point of failure in the validation mechanisms of cross-chain bridges. As institutions accelerate the tokenization of assets (such as funds, bonds, and deposits), related risks may cause some banks and asset management firms to temporarily pause deployments, prioritizing a review of system security. Especially in scenarios reliant on cross-chain infrastructure, security vulnerabilities could lead to market fragmentation, undermining the practical utility of tokenized assets.Despite short-term confidence being shaken, Jefferies still emphasizes that the long-term trend remains unchanged. Against the backdrop of regulatory progress and continuous infrastructure improvement, use cases like stablecoins still hold growth potential. However, the industry as a whole is still in its early development stage and requires time to enhance system robustness. (CoinDesk)
According to CoinDesk, Kelp DAO will dispute LayerZero’s explanation of the $290 million rsETH cross-chain bridge vulnerability, stating that the compromised single-validator configuration relied on LayerZero’s own infrastructure and that this setup was part of LayerZero’s default integration—rather than a custom choice by Kelp DAO violating recommended practices. The attacker stole approximately 116,500 rsETH by compromising the servers LayerZero used to verify cross-chain transactions and disrupting its fallback nodes. Kelp DAO emphasized that the incident affected only the LayerZero-based bridging layer, leaving its core liquidity re-staking contracts unimpacted. LayerZero subsequently responded by announcing it would cease signing messages for any applications using a single-validator configuration and would mandate secure migration.
According to CoinDesk, Kelp DAO’s LayerZero-based cross-chain bridge was attacked, with the attacker withdrawing 116,500 rsETH—worth approximately $292 million at current prices, or roughly 18% of its circulating supply. This incident has become the largest DeFi attack of 2026 to date. In response, Aave, SparkLend, and Fluid have frozen rsETH-related markets, and Lido Finance has suspended new deposits into its earnETH product. Kelp DAO stated it is jointly investigating the incident with LayerZero, auditing firms, and external security experts.