News
20 Apr 2026, 10:51
Bitcoin drops from recent highs as traders watch CME gap, DeFi hack fallout

Bitcoin pulled back after Friday’s surge as traders considered a CME futures gap, a DeFi exploit rattled altcoins and macro pressures weighed on sentiment.
20 Apr 2026, 10:50
KelpDAO hack pushes April crypto losses past $606 million

With less than two weeks remaining in April, the crypto industry appears set to record its highest monthly hack losses since February 2025, following the KelpDAO exploit over the weekend. By April 20, hackers had stolen about $606,215,950 from the crypto industry, according to data from DeFiLlama analyzed by Finbold. On April 18, attackers targeted KelpDAO, an Ethereum ( ETH )-based liquid restaking protocol, and drained approximately $293 million. The monthly total value hacked. Source: DeFiLlama At the beginning of this month, Drift Trade – an open source perpetual futures exchange on the Solana ( SOL ) network – was siphoned of around $286 million. As such, crypto losses from hacks surged 1,368% month over month (MoM), reaching a new record in 14 months. Crypto investors flee DeFi space after KelpDAO attack Following the heightened risk of sophisticated attacks on Decentralized Finance (DeFi) in April, crypto investors have been exiting en masse. Over the past 24 hours, all the top 20 DeFi chains registered net outflows of over $10 billion in total value locked (TVL). Precisely, the total TVL in DeFi declined from $99.49 billion on April 18 to hover roughly $85.41 billion, based on metrics from DeFiLlama . TVL changes from the top DeFi chains. Source: DeFiLlama The Ethereum network was the worst hit after the KelpDAO attack, with its TVL declining by $10.34 billion to approximately $46.16 billion at press time. Furthermore, the TVL on AAVE ( AAVE ), a top multi-chain lending protocol, fell to its lowest level in 2026 at reporting time, to about $17.51 billion, down from $26.39 billion on April 18, as indicated on DeFiLlama . TVL on the AAVE protocol. Source: DeFiLlama Web3 expert warns of a systemic risk The attack on Kelp DAO could spread across numerous DeFi protocols, as per analysis from David Schwartz, former Chief Technology Officer (CTO) at Ripple Labs. Furthermore, he noted that several DeFi protocols might be using security shortcuts to catapult the adoption rate. If the DeFi space fails to implement stronger security measures, more hacks and funds loss in the near term could make this month the worst. Furthermore, security experts believe that North Korea-linked group TraderTraitor, which is a subset of the Lazarus Group, may be the bad actor stealing crypto users’ funds. The post KelpDAO hack pushes April crypto losses past $606 million appeared first on Finbold .
20 Apr 2026, 10:40
Kelp DAO Hack Traced to Lazarus Group: Report

Attackers allegedly poisoned RPC nodes and exploited Kelp DAO’s single-verifier 1/1 DVN bridge setup to approve a fraudulent cross-chain message. Separately, Ethereum Name Service gateway eth.limo said its recent domain hijacking was caused by a social engineering attack against provider easyDNS, where an attacker impersonated a team member to gain account access and alter DNS settings. Lazarus Group Strokes Again… LayerZero released its preliminary findings on the recent Kelp DAO exploit. It attributed the attack to what it describes as a highly sophisticated state-backed threat actor, likely North Korea’s Lazarus Group, specifically the subgroup known as TraderTraitor. The incident took place on April 18, when Kelp DAO’s LayerZero-powered cross-chain bridge was compromised. This resulted in the loss of 116,500 rsETH tokens worth approximately $292 million. So far, this was the largest decentralized finance exploit this year. X post from LayerZero According to LayerZero, the attackers gained access to the list of RPC nodes used by LayerZero Labs’ decentralized verifier network (DVN), a system of independent entities responsible for validating cross-chain messages. Two of those nodes were allegedly poisoned, which allowed them to transmit a fraudulent message to the DVN. At the same time, the attackers launched a distributed denial-of-service attack against uncompromised nodes, increasing the likelihood that the network would rely on the malicious nodes. The forged message was ultimately accepted because Kelp DAO configured its bridge to use a single 1-of-1 DVN setup This means that there was no secondary verifier in place to detect or reject the fraudulent transaction. LayerZero said this lack of redundancy created a single point of failure. Interestingly, LayerZero previously advised Kelp DAO to diversify its DVN configuration. Despite those recommendations, Kelp DAO chose to continue operating with the 1/1 model. LayerZero explained that the exploit is isolated to Kelp DAO and has not affected other assets or applications using its infrastructure. It said the LayerZero Labs DVN remains fully operational and that projects using multi-DVN security setups can continue operations with confidence. In response to the incident, LayerZero announced that it will no longer sign messages for applications using a 1/1 DVN configuration. The company also said it is cooperating with multiple law enforcement agencies and actively tracking the stolen funds. eth.limo Hijack Caused by Social Engineering Meanwhile, Ethereum Name Service gateway eth.limo disclosed that the domain hijacking incident on Friday was caused by a social engineering attack targeting its domain service provider, easyDNS. In a postmortem that was published on Saturday, eth.limo explained that an attacker impersonated one of its team members and initiated an account recovery process with easyDNS. That fraudulent recovery request reportedly gave the attacker access to the eth.limo account, which allowed them to modify key domain settings. The attacker then changed the name server records and redirected them to Cloudflare-controlled infrastructure. Once the issue was identified as a DNS hijack, eth.limo said it immediately alerted the community and reached out to Ethereum co-founder Vitalik Buterin. The company also contacted easyDNS to begin coordinating a response. During the incident, Buterin warned users to avoid visiting his personal blog through the affected gateway until the matter was resolved. Eth.limo provides access to roughly two million decentralized websites using the .eth domain name system, which makes it a very important access point for users browsing Ethereum-based sites through standard web browsers. If successfully weaponized, control of the service could have allowed attackers to redirect visitors to phishing pages or malware-laced websites. However, both eth.limo and easyDNS said the Domain Name System Security Extension (DNSSEC) limited the damage. DNSSEC adds cryptographic verification to DNS records, and because the attacker did not possess the required signing keys, they were unable to create valid signatures for forged DNS responses. As a result, many DNS resolvers rejected the manipulated records, causing users to see errors rather than malicious redirects. Eth.limo said the missing signing keys likely reduced the overall impact of the attack and added that it is not currently aware of any user harm. The company said updates would be provided if that assessment changes. EasyDNS CEO Mark Jeftovic publicly accepted responsibility for the incident by stating that the company made mistakes and would own them. He described the breach as the first successful social engineering attack against an easyDNS client in the company’s 28-year history, despite many prior attempts. Following the incident, easyDNS said it already began implementing security changes to prevent similar attacks in the future.
20 Apr 2026, 10:30
Aave drops 18% in TVL after KelpDAO exploit, but is REAL damage deeper?

AAVE’s drop shows collateral failure and liquidity exits reshaping risk across the protocol and wider DeFi markets.
20 Apr 2026, 10:30
LayerZero Breaks Silence On $290 Million KelpDAO Crypto Exploit

KelpDAO’s $290 million rsETH exploit has moved into a new phase, with LayerZero and Aave now publicly outlining how the incident unfolded, why the damage appears contained, and what it could mean for crypto cross-chain security standards going forward. The central claim from LayerZero is that the exploit was not a failure of the protocol itself, but the result of KelpDAO’s decision to run rsETH with a single-DVN configuration. That matters because the latest statements shift the market narrative away from generalized contagion risk across LayerZero-integrated assets and toward a narrower question: how much risk was concentrated in one application’s security design. LayerZero Links KelpDAO Crypto Exploit To RPC Attack In an incident statement from April 20, LayerZero said the April 18 attack targeted KelpDAO’s rsETH setup and was “isolated entirely to KelpDAO’s rsETH configuration as a direct consequence of their single-DVN setup.” The company added that it had conducted “a comprehensive review of active integrations” and could confirm “with confidence that there is zero contagion to any other asset or application.” LayerZero framed the episode as a state-linked crypto infrastructure attack rather than a protocol exploit. According to the statement, “preliminary indicators suggest attribution to a highly-sophisticated state actor, likely DPRK’s Lazarus Group, more specifically TraderTraitor.” It said the attack did not compromise the protocol, key management, or the DVN instances directly. Instead, the attacker allegedly poisoned downstream RPC infrastructure used by the LayerZero Labs DVN, swapped binaries on compromised op-geth nodes, and then used DDoS pressure on uncompromised RPCs to force failover toward the poisoned infrastructure. That sequence is central to LayerZero’s argument. “Because of our least-privilege principles, they were unable to compromise the actual DVN instances,” the company wrote. “However, they used this pivot point to execute an RPC-spoofing attack. Their malicious node used a custom payload designed explicitly to forge a message to the DVN with minimal warnings.” LayerZero said the manipulated node presented false data only to the DVN while returning truthful responses to other IPs, including its own monitoring infrastructure, in what it described as a deliberately stealthy effort to avoid detection. Even so, LayerZero argues the exploit should have been stopped at the application layer had rsETH not relied on a 1-of-1 verifier setup. “The affected application was rsETH, issued by KelpDAO,” the statement said. “Their OApp configuration at the time of this incident relied on a 1-of-1 DVN setup, with LayerZero Labs as the sole verifier — a configuration that directly contradicts the multi-DVN redundancy model that LayerZero has consistently recommended to all integration partners.” It added that “a properly hardened configuration would have required consensus across multiple independent DVNs, rendering this attack ineffective even in the event of any single DVN being compromised.” The company said its DVN is live again, that affected RPC nodes have been deprecated and replaced, and that it will no longer sign or attest messages for applications using a 1/1 configuration. It also said it is working with law enforcement and industry partners, including Seal911, to track funds. Aave said in an X update on late The protocol said its analysis shows “rsETH on Ethereum mainnet is fully backed,” but added that “out of an abundance of caution, rsETH remains frozen across Aave V3 and V4 and exposure to the incident is capped.” WETH reserves also remain frozen across the affected markets on Ethereum, Arbitrum, Base, Mantle, and Linea while the team continues to validate information and assess possible resolutions. At press time, the total crypto market cap stood at $2.5 trillion.
20 Apr 2026, 10:23
A $293 Million Hack Wiped $8 Billion From Aave Crypto TVL: Is the DeFi Protocol in Crisis?

Aave crypto is bleeding. The DeFi lending giant has shed nearly 21% over seven days, with AAVE trading around $90–$91 after a weekend that exposed just how quickly contagion spreads through interconnected DeFi protocols. Volume spiked 50.20% to $539.45M in 24 hours, but that’s panic volume, not accumulation. Whether this selloff represents a buying opportunity or the start of a deeper unwind depends entirely on what happens next with protocol confidence. The incident that triggered the collapse began Saturday when hackers drained 116,500 rsETH tokens worth approximately $293 million from Kelp DAO’s LayerZero-powered bridge. The stolen funds were posted as collateral on Aave v3 to borrow wrapped Ether, leaving roughly $195 million in bad debt on the protocol. Crypto analytics platform Lookonchain flagged the largest withdrawals: MEXC pulled $431 million, Abraxas Capital followed at $392 million. AAVE Total value locked / Source: DefiLlama Aave’s total value locked collapsed from $26.4 billion to $17.94 billion, stripping it of the top DeFi protocol ranking it held going into the weekend. Curve Finance, Ethena, and BitGo’s Wrapped Bitcoin all paused LayerZero bridge usage as a precaution. The broader macro environment for crypto was already fragile. Now AAVE faces a protocol-specific credibility crisis layered on top of market-wide pressure — a combination that rarely resolves quickly. Discover: The best pre-launch token sales Can AAVE Crypto Price Recover to $120 This Week? The honest answer: not easily. AAVE sits near $91 on major exchanges, down roughly 6% on Kraken in 24 hours and over 20% on the week, a significant deviation from the broader market’s comparatively mild -0.50% seven-day performance. The all-time high of $661.69 feels like a different asset entirely from this distance (54% drawdown at current levels). Volume surging alongside price decline is a classic distribution signal. It suggests sellers are finding liquidity into any bounce rather than buyers absorbing the dip with conviction. The $90–$92 zone is acting as immediate support; a clean break below $89, which AAVE crypto briefly touched during the initial panic, opens the door toward the $78–$80 range where structural demand last materialized. Source: Tradingview More realistically though, it usually takes time to rebuild trust after something like this, so price likely sits between $88 and $100 while the market processes the damage and watches how users react, which keeps any recovery slow and capped. The real risk is if capital keeps leaving, because if TVL drops under $15B and withdrawals continue, that pressure shows up directly in price, and once $85 breaks, the structure weakens fast and opens the door toward $70. Discover: The best crypto to diversify your portfolio with Maxi Doge Eyes Early-Mover Upside as AAVE Absorbs Protocol Shock Watching an established DeFi blue chip shed $8 billion in TVL over a weekend raises a reasonable question: when protocol risk can wipe out gains this fast, where does smart money rotate for asymmetric upside? The answer, increasingly, is early-stage presales, where market cap is microscopic, and the exploit risk of a $26B lending protocol simply doesn’t apply. Maxi Doge ($MAXI) is one of the more unconventional entries in the current presale cycle — a meme token built on Ethereum that leans hard into the 1000x leverage trading mentality through what it calls “Lever King Culture.” The project has raised $4,745,091.23 at a current presale price of $0.0002814 , with dynamic staking APY available to participants. Features include holder-only trading competitions with leaderboard rewards and a Maxi Fund treasury allocated to liquidity and partnerships. The gym-bro branding is deliberate, viral meme marketing has driven outsized returns in this cycle before (Dogecoin, Shiba Inu, and their descendants all started somewhere). Risk is real: meme tokens are high-volatility, high-failure-rate instruments. DYOR is not optional here. For those with risk appetite suited to early-stage exposure, research Maxi Doge before the presale window closes. The post A $293 Million Hack Wiped $8 Billion From Aave Crypto TVL: Is the DeFi Protocol in Crisis? appeared first on Cryptonews .





































