Overview
- A April exploit of KelpDAO’s LayerZero bridge allowed attackers to forge cross‑chain messages and triggered about $8.45 billion in user withdrawals from Aave within 48 hours.
- Researchers traced the root cause to RPC‑spoofing and DDoS on LayerZero verifier nodes that let attackers mint worthless collateral and withdraw real wrapped Ether, creating roughly $123.7 million in bad debt on Aave V3.
- Aave’s near‑collapse was halted by a chaotic, human‑led emergency rescue that included a 25,000 ETH pledge from the Aave DAO and a 5,000 ETH personal contribution from founder Stani Kulechov as part of an overall ~$300 million stabilization effort.
- Aave Labs is developing a V4 hub‑and‑spoke redesign to isolate collateral risk and allow targeted freezes or premiums, and the company has expanded into regulated channels with recent UK FCA approvals for subsidiaries.
- The episode highlights how off‑chain bridge verifiers are single points of failure, exposes gaps in DeFi insurance and governance, and raises the risk that similar cross‑chain attacks could prompt more runs or regulatory scrutiny.