Futures
Access hundreds of perpetual contracts
TradFi
Gold
One platform for global traditional assets
Options
Hot
Trade European-style vanilla options
Unified Account
Maximize your capital efficiency
Demo Trading
Introduction to Futures Trading
Learn the basics of futures trading
Futures Events
Join events to earn rewards
Demo Trading
Use virtual funds to practice risk-free trading
Launch
CandyDrop
Collect candies to earn airdrops
Launchpool
Quick staking, earn potential new tokens
HODLer Airdrop
Hold GT and get massive airdrops for free
Pre-IPOs
Unlock full access to global stock IPOs
Alpha Points
Trade on-chain assets and earn airdrops
Futures Points
Earn futures points and claim airdrop rewards
$340 million USD! Aave nearly got taken down. Do you still trust cross-chain bridges' security?
If your money was in Aave, it almost disappeared yesterday.
The biggest DeFi security incident since 2026 has already happened.
It's not a small protocol, but the Kelp + LayerZero + Aave triangle.
Kelp was forged out of thin air, and Aave could face a bad debt of up to $340 million USD.
Are you panicking?
---
Here's what happened (understand in 3 minutes):
Step 1: How did the attacker do it?
Kelp's official team released an analysis, simplified into plain language:
> The attacker hacked into LayerZero's RPC node and exploited the "1/1 DVN default configuration" vulnerability.
What does that mean?
LayerZero is a cross-chain messaging protocol.
DVN (Decentralized Validation Node) is its "security inspector."
1/1 DVN means: only one security inspector makes the call.
And this inspector's RPC node was compromised.
As a result:
The attacker could forge cross-chain messages, telling Kelp: "Hey, someone stored ETH on another chain, quickly mint rsETH for them."
Kelp believed it.
rsETH was forged out of thin air.
Then these rsETH were bridged back to the mainnet and exchanged for real assets.
This isn't about hacking skills being extraordinary; it's about poor configuration.
Step 2: How did Aave get dragged into this?
rsETH is an asset used as collateral on Aave.
The attacker deposited the forged rsETH into Aave and borrowed USDC, USDT, ETH...
Real assets, cleanly withdrawn.
By the time Kelp noticed something was wrong, Aave had already accumulated a large bad debt.
---
How big is the bad debt? (Data speaks)
- Aave official disclosed: two scenarios, bad debt of $123.7 million or $230.1 million.
- DeFiLlama founder 0xngmi independently estimated: if the L2 market is abandoned, the worst case is $341 million.
- Treasury + Umbrella insurance can cover part of it, but there's still a large gap.
- Lido's EarnETH: $21.6 million exposure, deposits and withdrawals paused.
- Ethena OFT bridge: extended suspension.
Translation:
This isn't a "small incident"; it's an event that nearly made Aave kneel.
---
1. Do I trust cross-chain bridges?
Not anymore. Because the trust level was already low.
This isn't the first time a cross-chain bridge has failed, and it won't be the last.
LayerZero has always been considered the "most reliable cross-chain solution," but what happened?
One RPC node hacked + a default 1/1 DVN configuration = $340 million USD bad debt.
The essence of cross-chain bridges is "trust transfer."
You transfer trust from one chain to a few nodes or validators.
As long as they make mistakes or get hacked, you lose everything.
My current stance:
Solve problems on a single chain whenever possible; never cross-chain unnecessarily.
If you must cross, be prepared to reset everything.
---
2. Do I trust lending protocols (Aave)?
Not collapsed, but now more aware.
This time, Aave was polluted by "dirty data."
It's not that their code had vulnerabilities; they accepted an attacked asset.
In DeFi, this is called "toxic assets."
Aave's problem is:
It's too open; it lists any asset.
Once listed, risk spreads from "protocol security" to "all oracles + bridges + collateral assets."
But think in reverse:
Aave's bad debt handling is transparent; DAO openly discusses solutions, and DeFiLlama independently estimates worst-case scenarios.
This is a thousand times better than CeFi.
When CeFi has issues, you can't even see the ledger.
So my conclusion:
Aave remains the toughest lending protocol.
---
3. What does this mean for AAVE holders? (Key point)
Short-term: pain. Long-term: not necessarily bad.
- Short-term:
How to fill the bad debt?
Option 1: Let some L2 markets bear it themselves; Aave mainnet loses $123 million.
Option 2: Aave covers $230 million itself.
Either way, protocol income will be used to fill the gap, dividend expectations drop, and token price faces pressure.
- Long-term:
This incident will push Aave to do two things:
1. Enforce stricter asset listing standards — not all LSTs or LRTs can be listed casually.
2. Strengthen risk control + insurance mechanisms — Umbrella will accelerate deployment.
A word to holders:
You're not just holding AAVE; you're holding one of the most expensive risk lessons in DeFi.
---
I won't advise you to sell Aave, nor to buy the dip.
I only say:
The biggest risk in DeFi isn't code vulnerabilities; it's "thinking it's safe."
This time it's Kelp + LayerZero + Aave.
Next time, who will it be?
Guess. #比特币反弹 $BTC $ETH