Lessons from 292 million USD: Lessons from rsETH theft on DeFi security

Written by: Liu Jiao Lian

Introduction: A Lucky Coincidence

On April 18, 2026, Kelp DAO’s rsETH cross-chain bridge was attacked, and assets worth about $292 million were stolen. The attacker deposited the stolen rsETH into Aave, borrowed ETH, and triggered a bad debt panic. The ETH utilization rate on Aave instantly soared to 100%, locking the funds of countless innocent depositors.

Two months earlier, on February 5, 2026, Jiao Lian had just transferred all deposits from Aave to Spark. The motivation was simple: Spark’s yield was just a little higher than Aave’s. As a result, they unintentionally avoided this crisis.

This was not foresight, not judgment—pure luck. But this luck prompted Jiao Lian to seriously consider a question: can we be so lucky next time?

Taking advantage of this incident, Jiao Lian reviewed the pitfalls, lessons, and final thoughts encountered in the DeFi world, written below.

1. April 18, 2026: How a Butterfly Flaps Its Wings

1.1 The Attack Itself

At 17:35 UTC on April 18, an attacker-controlled wallet called the LayerZero EndpointV2 contract, triggering Kelp DAO’s cross-chain bridge contract, released 116,500 rsETH to the attacker’s address. Based on the market price at the time, worth about $292 million. [1]

The attacker’s wallet had obtained funds 10 hours earlier through Tornado Cash’s 1 ETH pool, a common method of obfuscating funds in DeFi attacks.

Kelp DAO responded quickly. 46 minutes later, its emergency multisig wallet executed pauseAll, freezing core contracts and preventing two subsequent attempts to steal about $100 million each. [1]

1.2 Risk Propagation to Aave

But the real storm was not with Kelp DAO, but with the more well-known lending protocol Aave.

The attacker deposited the stolen rsETH into Aave as collateral and borrowed ETH. This step turned an external attack into an internal bad debt risk for Aave. [2]

The market reacted swiftly. Whales began withdrawing ETH from Aave. According to Lookonchain’s monitoring, ETH utilization on Aave quickly reached 100%—meaning almost no ETH was available for withdrawal or new borrowing. [2]

Innocent users who had never touched rsETH, only deposited ETH, also had their funds locked.

This is the cost of shared pool lending: you don’t need to directly touch the bad apples; as long as you are in the same pool, you will be affected.

1.3 The Inherent Risks of Non-Isolated Lending

Curve founder Michael Egorov tweeted after the incident: this is an inherent risk of the popular non-isolated lending model. It’s scalable but riskier. Risk management is key, and Aave has done well in this regard historically. [3]

His implication was: this problem is inherent to the model, not a specific vulnerability of Aave.

Jiao Lian believes this judgment is correct. But the problem is, ordinary users find it hard to predict when risks will turn into reality.

2. Contradictory Moments: Listening to Words vs Watching Actions

2.1 The Divide Between Reassurance and Action

Aave officials said the situation was under control, and the security module Umbrella could serve as the first line of defense. [1]

But the real discussion was triggered by Andre Cronje’s (AC) performance.

AC tweeted: Aave has $7 billion in ETH deposits, only $100 million was withdrawn, so the impact is minimal. Even if bad debt occurs, Aave’s security module and AAVE tokens are the first line of defense. [4]

Meanwhile, he had withdrawn all ETH from the PUT protocol he founded. His explanation was: PUT’s primary goal is user liquidity; the available liquidity on Aave dropped below our minimum threshold, which is just a rule trigger, not an indication that Aave is going bankrupt. [4]

Legally, he did nothing wrong. But from an observer’s perspective, it’s hard not to get the impression: say one thing, do another.

2.2 History Rhymes

This is not the first time.

In May 2022, Luna collapsed. Do Kwon repeatedly said after UST de-pegged: don’t panic, the algorithm will recover. Those who believed him were buried.

In November 2022, FTX collapsed. SBF said after the bank run that assets were fine, FTX was healthy. Those who believed him were also buried.

A friend of Jiao Lian’s had a large deposit in FTX. Seeing panic and reassurance simultaneously, he chose to withdraw to hedge risks. Afterwards, he said he didn’t know if FTX would collapse, but he knew if it did, he couldn’t run away. So he chose to run first.

This logic, Jiao Lian believes, is what ordinary users should remember in a crisis: a gentleman does not stand under a dangerous wall. You may not know if the wall will fall. You only need to know you don’t have to stand underneath.

3. Jiao Lian’s Two Experiences: From Being Trapped to Lucky Escape

3.1 The First Time: Compound Locked

In November 2025, Jiao Lian deposited some USDC into Compound. They didn’t touch deUSD, nor did they know what xUSD was.

But on November 4, the xUSD team admitted a loss of $93 million, and xUSD de-pegged. The deUSD backing it also de-pegged. Compound accepted deUSD as collateral. At 5 a.m., Compound urgently paused withdrawals. [5]

Jiao Lian’s funds were locked.

That day, they wrote in an article: they could have calmly and smoothly withdrawn a day earlier to hedge risks. But suddenly, with withdrawals paused, they had no chance to hurriedly retreat. [5]

Fortunately, the bad debt was only a few million dollars, covered by the security module, and there was no disaster.

But Jiao Lian learned a lesson: risks can propagate. You don’t need direct contact with the bad apples; as long as you are in the same pool, you will be affected.

3.2 The Second Time: Aave Withdrawal

On February 5, 2026, Jiao Lian transferred deposits from Aave to Spark.

The reason was simple, even a bit cliché: Aave’s yield dropped, Spark’s was slightly higher. Jiao Lian just moved funds from a lower-interest place to a higher-interest one.

This kind of operation happens countless times in normal days. Jiao Lian did not foresee that Aave would have an incident two months later, nor analyze rsETH’s risks, nor had any insider information.

But they unintentionally avoided the April Aave crisis.

Jiao Lian calls this luck. But they also wonder: does this luck have an inevitable reason in randomness?

3.3 Comparing the Two Times

First: passive entrapment, lucky escape. Second: active movement, unintentionally hedging.

No need to pursue judgment correctness, nor is it easy. As long as liquidity remains free, you might inadvertently avoid some pitfalls.

But it’s not a long-term solution. As the saying goes, “If you walk by the river often, you will not avoid getting your shoes wet.”

4. New Battlefield: Spark’s Off-Chain Opacity

4.1 A Temporary Refuge

After leaving Aave, Jiao Lian moved some funds to Spark.

What is Spark? Spark’s liquidity layer is an automated capital allocator that automatically distributes assets like USDS, sUSDS, USDC into various DeFi protocols and RWA products to optimize yields. [6]

4.2 Asset Composition

According to Spark’s official data, its total assets amount to about $2.1 billion.

Jiao Lian noticed that over 90% of the assets are on-chain stablecoins, which are traceable. But the institution called Anchorage, which custodies about 7%, holds off-chain assets that ordinary users cannot penetrate.

4.3 Risk Exchange

Jiao Lian believes that moving from Aave to Spark is not a security upgrade but a risk exchange.

In protocols like Aave/Compound, risks are relatively transparent: what are the collateral assets, what is the liquidation threshold, the code is open source. Risks come from market volatility or attacks.

In Spark, risks introduce new dimensions: institutional custody, RWA, opaque strategies. You don’t know what Anchorage’s $150 million is doing specifically, nor can you monitor every rebalancing in real time.

This does not mean Spark is unsafe. Since launch, Spark has managed over $4 billion in assets with zero security incidents. Jiao Lian wants to say: any protocol has risks, just of different types. Ordinary users need to understand what risks they are accepting, not blindly believe any protocol is forever safe.

5. Historical Lessons: Four Key Takeaways

Jiao Lian compiled the crises seen and experienced in DeFi over the years into a table:

[Table omitted]

From these four incidents, Jiao Lian summarizes four lessons:

First: Don’t build dangerous walls. When abnormal signals appear, assume the wall will fall and withdraw first. If it doesn’t fall, you lose only some gas fees and a few days’ interest. If it does fall, you preserve your entire principal.

Second: Don’t trust words, only actions. Any reassurance from KOLs or founders must be verified by their actions. Those who speak do not bear consequences; those who act are responsible.

Third: Maintain liquidity freedom. Never put yourself in a situation where you want to run but cannot. An utilization rate of 100% is a typical signal—when you want to run, it’s already too late.

Fourth: Understand risk exchange. Before choosing any protocol, ask yourself: what yield do I get, and what new risks am I accepting? On-chain transparency risks vs. off-chain institutional risks, market volatility vs. strategic errors—there is no absolute safety, only different risk types.

6. The Ultimate Answer: Exit the Game

6.1 Why Exit

Jiao Lian realized one thing: as long as you chase yields, you are always exposed to some kind of risk.

In Aave, you are exposed to shared pool propagation risk. In Spark, you are exposed to opaque institutional risks. In stablecoins, you face issuer and regulatory risks. In wrapped BTC, you face custodian and cross-chain bridge risks.

Switching protocols is just switching risks—not upgrading, but exchanging.

6.2 Jiao Lian’s Plan

Using this bear market, gradually convert all or most of their DeFi funds into on-chain BTC.

Not wBTC, not cbBTC, not any wrapped assets. Native BTC. Stored in their own fully controlled wallet.

Jiao Lian believes this is the only asset status in the crypto world that requires no trust in any third party.

No reliance on protocol code, no reliance on teams, no reliance on collateral, no reliance on custodians. The only dependency: their own ability to safeguard private keys.

6.3 Cost and Responsibility

On-chain BTC does not generate interest. That’s the cost.

Key management risk shifts from protocols to oneself. That’s the responsibility.

The conversion process itself also carries risks and must be operated cautiously.

Jiao Lian is willing to accept these costs because, in their view, the security of not relying on anyone is worth sacrificing a few percentage points of so-called annualized yield.

6.4 Final Words

We entered the crypto market initially to find a place that doesn’t require trusting banks. After a circle, in DeFi, we trusted code, teams, security modules, and KOLs’ calls…

In the end, the true destination is still returning to the most simple starting point: self-custody of your own Bitcoin.

References:

[1] The Block, “Kelp DAO’s rsETH bridge apparently exploited for roughly $292 million in LayerZero-based attack,” Apr 18, 2026

[2] Lookonchain, X post on Aave ETH utilization rate reaching 100%, Apr 19, 2026

[3] Michael Egorov, X post on non-isolated lending risks, Apr 19, 2026

[4] Andre Cronje, X post on PUT withdrawal decision, Apr 19, 2026

[5] Liu Jiao Lian, Butterfly Storm, Nov 5, 2025. [Link]

[6] Spark, Spark Liquidity Layer official data