AAVE: ktoś ukradł 293 miliony dolarów przy kosztach gazu wynoszących 250 dolarów

Smarts Web Workers · 2026-04-19T20:23:54.000Z

Wczoraj ktoś ukradł 293 miliony dolarów przy kosztach gazu wynoszących 250 dolarów. Brak podatności zero-day. Brak zepsutego kodu. Tylko źle zaznaczone pole w pliku konfiguracyjnym. Pozwól, że wyjaśnię. HARMONOGRAM - 18 kwietnia 2026, 11:05 AM UTC. Anonimowy portfel otrzymuje 0.1 ETH z Tornado Cash. Koszt: ~$250. Przez 6 godzin nic się nie dzieje. A potem o 17:35 ten portfel wykonuje JEDNO JEDYNE wywołanie funkcji na kontrakcie Kelp DAO. I 116,500 rsETH pojawia się znikąd. Wartość: 293 miliony dolarów. 🔓 PODATNOŚĆ (wyjaśnione prosto) Wyobraź sobie skarbiec z 3 zamkami. Standardowa praktyka bezpieczeństwa mówi: "potrzebujesz 2 z 3 kluczy, aby go otworzyć." Ale Kelp DAO skonfigurował swój most LayerZero inaczej: "1 klucz wystarczy."

Yesterday, someone stole $293 million with $250 in gas fees. No zero-day vulnerability. No broken code. Just a mischecked box in a configuration file.
Let me explain.
THE TIMELINE
- April 18, 2026, 11:05 AM UTC.
An anonymous wallet receives 0.1 ETH from Tornado Cash. Cost: ~$250.
For 6 hours, nothing happens.
Then at 5:35 PM, this wallet executes ONE SINGLE function call on the Kelp DAO contract.
And 116,500 rsETH appear out of thin air.
Value: $293 million.
🔓 THE VULNERABILITY (explained simply)
Imagine a vault with 3 locks. Standard security practice says: "you need 2 out of 3 keys to open it." But Kelp DAO configured their LayerZero bridge differently: "1 key is enough."
That "key" was a DVN (Decentraized Verifier Network). ONE SINGLE validator.
Exact configuration:
→ requiredDVNCount: 1
→ optionalDVNCount: 0
The attacker compromised this single node, forged a fake cross-chain message saying "send 116k rsETH to this address," and the contract obeyed. This wasn't a code bug, it was a deployment misconfiguration.
Audits check code. Not always the config.
THE HEIST (in 46 minutes)
5:35 PM → Exploit: mint of 116,500 unbacked rsETH
5:36-5:42 PM → Distribution to 7 intermediate wallets:
- 53,000 rsETH → 0x1f4c1c
- 30,000 rsETH → 0xeba786
- 10,000 rsETH → 0xcbb24a
- 8,000 rsETH → 0x1b748b
- 6,000 rsETH → 0xbb6a60
- 5,000 rsETH → 0x8d11ae
- 4,500 rsETH → 0xe9e2f4
5:45-6:00 PM → Deposited as collateral on AAVE V3, Compound V3, AAVE Arbitrum
6:00 PM+ → Borrowed $236M in WETH against this "collateral"
6:15 PM → Consolidated to a single wallet
The problem?
These rsETH have ZERO real value. They're worthless. But the lending protocol oracles couldn't know that.
THE ATTACKER'S ADDRESSES
I traced the entire flow on-chain:
Main wallet (exploiter): 0x8B1b6c 
→ Funded via Tornado Cash 0.1 ETH Pool
→ Executed the fraudulent lzReceive() call
Profit consolidation wallet:
ETH Millionaire 0x5d391: app.nansen.ai/profiler?addre… 
→ Labeled "ETH Millionaire" by #NansenAI 
→ Received $163M+ in borrowed ETH
→ Likely being mixed through Tornado Cash as we speak
Exploit transaction:
0x1ae232da212c45f35c1525f851e4c41d529bf18af862d9ce9fd40bf709db4222
THE IMPACT ON AAVE
$AAVE  was NOT directly hacked but the protocol is now sitting on a $236M bad debt hole.
The rsETH used as collateral is now worth zero.
The WETH loans will never be repaid.
The positions are unliquidatable.
The numbers in 24h:
- $AAVE price: -22% over 7 days ($115 → $90)
- TVL: -16.78% ($21.96B)
- Exchange inflows: +$22.6M (16x normal average)
- Smart Trader outflows: -$248k
- Top PnL wallets outflows: -$2.4M
Emergency measures:
🔒 rsETH/wrsETH markets frozen on all V3/V4 instances
🔒 WETH frozen on Core, Prime, Arbitrum, Base, Mantle, Linea
WHO'S GOING TO PAY?
You, if you staked $aETHWETH on AAVE.
The Umbrella module will automatically take a portion of your stake to cover the losses.
How it works:
1. UmbrellaCore monitors bad debt on-chain
2. When threshold is exceeded → slash() is called automatically
3. Pro-rata burn of vault shares
4. No governance vote required, it's automatic
Withdrawal cooldown: 20 days. This isn't a bug. It's by design. You signed up for this in the terms.
HISTORICAL COMPARISON
This hack joins the podium of biggest bridge exploits:
🥇 Ronin (2022): $625M - 5/9 validator compromise
🥈 Wormhole (2022): $326M - Signature verification bug
🥉 Kelp DAO (2026): $293M - 1-of-1 DVN compromise
4️⃣ Nomad (2022): $190M - Merkle root flaw
Common pattern: trust assumptions on cross-chain validators.
Total bridge hacks since 2022: >$2.8 billion (~40% of all Web3 hacks).
MY TAKEAWAYS
1. A code audit ≠ a config audit. Kelp's code was audited. The 1-of-1 DVN configuration apparently wasn't.
2. One validator = one point of failure. Industry standard: minimum 2-of-3. Kelp: 1-of-1. It was a ticking time bomb.
3. LRTs as collateral = systemic risk. Liquid Restaking Tokens add layers of complexity that current oracles can't evaluate in real-time.
4. DeFi remains the Wild West. $293M stolen with $250 in gas. Attacker's ROI: 586,000,000%.
🔍 TO FOLLOW THE CASE
Wallet to monitor (fund consolidation):
0x5d3919f12bcc35c26eee5f8226a9bee90c257ccc
The funds are likely being mixed through Tornado Cash as you read this post.
This wasn't an AAVE hack, it was a hack of trust.
One mischecked box. A "default" config. $293M gone.
Welcome to DeFi.
If this post was useful, share it. More people need to understand that DeFi security isn't just about code.
And if you have $aWETH staked on AAVE... you know what to do.
#Hack #CyberSecurity #OnChainAnalysis 
$AAVE 
AAVE
91.07
-1.53%
 