hodler

23 Apr 2026, 20:52

Aave rallies DeFi partners to contain fallout from $292 million KelpDAO hack

Industry players are coordinating a recovery effort as the year's biggest crypto rattled Aave, with Lido and EtherFi being firsts to offer aid.

23 Apr 2026, 20:30

More users enter impact radius of Vercel exploit

The April 2026 Vercel security incident continues to extend past initial claims. The incident, which was said to involve what Vercel referred to as a “limited subset of customers,” has now expanded toward a much broader developer community, especially those building AI agent workflows. In its recent security bulletin on April 19 , which has been updated over time following its ongoing investigation, Vercel claims that developers who rely on packs of third-party API keys, LLM provider credentials, and tool calls are more open to such attacks. How did the breach happen? Unlike user speculations, Vercel was not the initial point of entry; it was compromised when a Context.ai employee with sensitive access privileges was breached via a Lumma Stealer malware infection . The breach occurred when the employee downloaded a Roblox Auto-farm script and game exploit tools, which are major ways the malware is spread . This breach led to stolen user data, including Google Workspace login details and other access keys to platforms like Supabase, Datadog, and Authkit. The attacker then made use of a stolen OAuth token to gain access to Vercel’s Google Workspace account. While Vercel is not a Context.ai user, an employee of theirs had an account with the platform, which was created using a Vercel enterprise account, and worst of all, had approved “allow all” permissions. To make things worse, Vercel had enabled these broad permissions within its Google Workspace environment, granting easier access. Once in, the attacker went on to decrypt non-sensitive environment variables stored in the system. However, they were unable to get access to sensitive data , as Vercel has those environment variables stored in a manner that prevents them from being accessed. What does this mean for AI agent developers? For developers, the concern lies more in the impact radius than in what was recorded as stolen. Most developers are worried that their workflows, which are wired together with credentials in plain environment variables, might be exposed to this breach. This is because most developers on Vercel commonly store important access keys in their deployment environments. Furthermore, AI-powered projects could contain an OpenAI or Anthropic API key, a vector database connection string, a webhook secret, and a third-party tool token at the same time, which are not flagged by the system as sensitive because they require the developer to do so manually. To battle this incident, Vercel has updated its product so that all newly created environment variables are marked sensitive by default and can only be made insensitive by the developer. While the development is a right step, it doesn’t make up for the variables that were stolen before the change occurred. How far does the attack go? According to Vercel, the attack may affect hundreds of users across several organizations, not just its own systems, but across the entire tech industry. This is because the OAuth app used in the attack was not limited to Vercel alone. To reduce the attack’s effects, Vercel’s security team has shared the unique identifier of the compromised OAuth app, urging Google Workspace administrators and Google account holders to check whether it had access to their systems. Additionally, Context.ai, with the help of Nudge Security CTO Jaime Blasco, also detected another OAuth permission grant, containing Google Drive access. To prevent further impact, Context.ai immediately alerted all affected customers and provided the necessary steps needed to prevent further breaches. If you're reading this, you’re already ahead. Stay there with our newsletter .

23 Apr 2026, 20:23

Lido offers $5.8M stETH to Kelp DAO after 100K ETH exploit

🚨 Lido considers injecting $5.8M in stETH to cover Kelp DAO’s 100K ETH shortfall. Kelp DAO lost $292 million in a major exploit, triggering cascading effects in $ETH DeFi. 🛡️ Critical data: Collective action is needed as bad debt climbs and investor confidence in DeFi is shaken. Continue Reading: Lido offers $5.8M stETH to Kelp DAO after 100K ETH exploit The post Lido offers $5.8M stETH to Kelp DAO after 100K ETH exploit appeared first on COINTURK NEWS .

23 Apr 2026, 19:45

Kelp DAO Exploit: Chainalysis Confirms Off-Chain Attack, Not a Smart Contract Bug – Critical Security Lesson

BitcoinWorld Kelp DAO Exploit: Chainalysis Confirms Off-Chain Attack, Not a Smart Contract Bug – Critical Security Lesson New York, USA – March 5, 2025 – Blockchain analytics firm Chainalysis has released a detailed report confirming that the recent $292 million Kelp DAO bridge exploit was not a smart contract bug. Instead, the attack targeted off-chain infrastructure. This finding changes how the crypto community understands the incident. It also raises urgent questions about security beyond the blockchain. Kelp DAO Exploit: A $292 Million Wake-Up Call The Kelp DAO exploit occurred on February 28, 2025. Attackers drained approximately $292 million from the protocol’s bridge. Initial reports speculated about a vulnerability in the smart contract code. However, Chainalysis now provides clarity. The firm’s investigation reveals a different story. According to the report, the hacker manipulated off-chain systems. They tricked the bridge into issuing rsETH tokens. This happened even though the corresponding assets had not been burned on the source chain. In simple terms, the attacker created rsETH out of thin air. They did this by compromising the backend infrastructure that validates cross-chain transactions. Chainalysis states that the attack exploited weaknesses in the bridge’s off-chain relay and validation logic. These components are responsible for verifying that assets are locked or burned before minting on the destination chain. The hacker bypassed these checks. This allowed them to mint rsETH without providing real collateral. The exploit underscores a growing trend in crypto security. Off-chain infrastructure is becoming a prime target. Smart contracts are audited and hardened. But the systems that connect them remain vulnerable. This incident is a stark reminder that security must extend to all layers of a protocol. How the Off-Chain Attack Worked Chainalysis provides a step-by-step breakdown of the Kelp DAO exploit. The attack did not require exploiting a smart contract bug. Instead, it targeted the bridge’s off-chain components. Step 1: Reconnaissance. The attacker studied the bridge’s off-chain relay system. They identified weaknesses in the validation process. Step 2: Compromise. The hacker gained access to the off-chain infrastructure. This likely involved exploiting a vulnerability in a server or API. Step 3: Manipulation. They submitted a fake proof of asset burn. The off-chain relay accepted this without proper verification. Step 4: Minting. The bridge minted 10,000 rsETH tokens on the destination chain. These tokens had no backing. Step 5: Liquidation. The attacker swapped the fake rsETH for other assets. They then moved the funds through mixers and exchanges. This sequence highlights a critical gap. The bridge trusted the off-chain relay completely. It did not require on-chain verification of the burn event. The attacker exploited this trust. Chainalysis Report: Key Findings The Chainalysis report offers several key insights. First, the smart contract code was not the problem. Auditors had reviewed it. No critical bugs existed. Second, the off-chain infrastructure lacked redundancy. A single point of failure led to the entire exploit. Third, the attack was sophisticated. It required deep knowledge of bridge architecture. Chainalysis also notes that the attacker likely had insider knowledge. They understood the relay system’s internal logic. This suggests a targeted attack rather than a random hack. The firm recommends that protocols implement multi-signature validation for off-chain operations. They also suggest using cryptographic proofs to verify cross-chain messages. The report emphasizes that off-chain attacks are harder to detect. They leave fewer on-chain traces. Traditional security tools focus on smart contracts. They miss vulnerabilities in backend systems. This incident will likely accelerate investment in off-chain security solutions. Impact on the Crypto Ecosystem The Kelp DAO exploit has immediate and long-term impacts. In the short term, the protocol lost $292 million. This represents a significant portion of its total value locked. Users who held rsETH faced uncertainty. The token’s price dropped sharply. Some decentralized exchanges paused trading. Kelp DAO has since taken steps to recover. They paused the bridge and initiated a security review. They also offered a bounty for information leading to the hacker. However, full recovery remains uncertain. The stolen funds may never be returned. In the long term, this incident will reshape security practices. Protocols will now scrutinize their off-chain infrastructure. They will implement stronger access controls. They will also use more robust validation mechanisms. The industry may see new standards for bridge security. Regulators are also paying attention. The exploit highlights the risks of cross-chain bridges. These bridges are critical for interoperability. But they also create new attack surfaces. Policymakers may push for stricter requirements. This could include mandatory audits of off-chain systems. Lessons for Developers and Users Developers must learn from the Kelp DAO exploit. Smart contract audits are not enough. Off-chain components need equal scrutiny. This includes relay servers, APIs, and validator nodes. Each component represents a potential entry point for attackers. Users should also exercise caution. They should research a protocol’s security posture. They should look for evidence of off-chain audits. They should also consider the protocol’s response to incidents. Transparency and speed matter in a crisis. The exploit also underscores the importance of decentralization. Centralized off-chain components create single points of failure. Protocols should aim to decentralize these components. This reduces the risk of a single compromise leading to a massive loss. Comparing the Kelp DAO Exploit to Other Attacks The Kelp DAO exploit is not the first off-chain attack. However, it is one of the largest. Previous incidents include the Ronin Bridge hack and the Wormhole exploit. Both involved off-chain vulnerabilities. The Ronin attack compromised validator keys. The Wormhole exploit targeted a bridge contract. Each incident offers unique lessons. Attack Amount Lost Attack Vector Year Kelp DAO $292M Off-chain relay compromise 2025 Ronin Bridge $625M Validator key compromise 2022 Wormhole $326M Smart contract vulnerability 2022 Poly Network $611M Cross-chain message manipulation 2021 This table shows a pattern. Off-chain and cross-chain vulnerabilities are common. They often lead to large losses. The Kelp DAO exploit fits this pattern. It also highlights the evolving nature of these attacks. Attackers are becoming more sophisticated. They target the weakest link in the chain. Conclusion The Kelp DAO exploit serves as a critical security lesson for the entire crypto industry. Chainalysis confirms that the $292 million loss resulted from an off-chain attack, not a smart contract bug. This distinction is vital. It forces protocols to look beyond the blockchain. They must secure every component of their infrastructure. The incident also underscores the need for better validation mechanisms. Multi-signature verification and cryptographic proofs can prevent similar attacks. As the industry grows, security must evolve. The Kelp DAO exploit is a reminder that no system is safe without comprehensive protection. Developers, users, and regulators must all take note. FAQs Q1: What was the Kelp DAO exploit? A1: The Kelp DAO exploit was a $292 million attack on the protocol’s bridge. Attackers manipulated off-chain infrastructure to mint fake rsETH tokens. Chainalysis confirmed it was not a smart contract bug. Q2: How did the off-chain attack work? A2: The hacker compromised the bridge’s off-chain relay system. They submitted a fake proof of asset burn. The relay accepted it without proper verification. This allowed the minting of unbacked rsETH tokens. Q3: What did Chainalysis find in their report? A3: Chainalysis found that the exploit targeted off-chain infrastructure, not smart contracts. They identified weaknesses in the relay validation process. They recommended multi-signature verification and cryptographic proofs. Q4: What are the impacts of the Kelp DAO exploit? A4: The protocol lost $292 million. rsETH token price dropped sharply. The incident has led to increased scrutiny of off-chain security. It may also influence regulatory approaches to bridge security. Q5: How can protocols prevent similar attacks? A5: Protocols should audit all off-chain components. They should implement multi-signature validation for cross-chain operations. They should also use cryptographic proofs to verify messages. Decentralizing off-chain infrastructure reduces single points of failure. This post Kelp DAO Exploit: Chainalysis Confirms Off-Chain Attack, Not a Smart Contract Bug – Critical Security Lesson first appeared on BitcoinWorld .

23 Apr 2026, 19:40

BIS talks about the rapid evolution of cryptoasset service providers

The BIS, famously known as the central bank of central banks, highlighted the need for appropriate safeguards as cryptoasset service providers have stopped being fringe aspects of global finance to become real financial intermediaries in its latest paper. The post comes close to the end of an active month for DeFi hackers. Two of the biggest scandals to shake the DeFi space this year illustrate the contagion risk mentioned in the paper posted by the BIS. BIS talks about the rapid evolution of cryptoasset service providers The paper acknowledged how the capabilities of cryptoasset service providers have expanded beyond their initial roles as trading platforms and custodial service providers. It presented a new classification, multifunction cryptoasset intermediaries (MCIs), in its expression of how some of the products these firms now offer closely resemble financial intermediation activities that used to be the exclusive domain of banks and prime brokers. According to the paper, MCIs take on credit, liquidity, and maturity risk when they accept customer cryptoassets via investment programs and use those assets to fund lending, market making, and other activities. This puts them virtually on the same level as traditional financial intermediaries. However, the paper suggests that despite this, in many jurisdictions, MCIs operate without prudential safeguards. Meanwhile, these safeguards, like deposit insurance and central bank liquidity, apply to their traditional financial counterparts engaged in comparable risk transformation. This helps MCIs get away with things like opacity, which leads to significant data gaps. The BIS also noted that now that TradFi and crypto are integrating, the risk of spillover effects has become more real. To address these risks, the BIS proposed a tandem of entity-based (EB) and activity-based (AB) regulations, even though it admitted challenges that could make that route difficult. Some of the challenges the organization mentioned in the paper were lags in coverage of borrowing and lending activities happening within existing cryptoasset regulatory frameworks, the need for effective cross-border supervisory cooperation, and limited supervisory resources. The DeFi market has been through the wringer There is no doubt that the DeFi sector has been wracked with some pretty scandalous exploits, as losses from this month alone have almost 4X the total for the first three months of the year. The latest scandal, a great example of contagion risk, involved KelpDAO, where attackers exploited a vulnerability in the protocol’s verification layer. This allowed them to mint about 116,500 rsETH out of thin air, which they then used to borrow ETH from major lending platforms like Aave. When markets realized the con, the value of rsETH collapsed, and lenders were left holding the bag. About $292 million was drained as a result, and Aave, as well as other lending protocols, were forced to suspend operations to prevent a systemic run on their liquidity pools. Hackers extracted about $285 million from the Drift exploit this month as well. These scandals have shown that DeFi needs to rely on something other than code. KelpDAO loot has crossed over to Bitcoin According to security analysts at Halborn, the recent KelpDAO exploit has links to the Lazarus Group from North Korea. This was backed up by sleuths like ZachXBT and Tayvano on X, with Tayvano sharing in a tweet earlier today that the DPRK was involved and that the money has been completely laundered via Thorchain. Her post came after it was revealed that the KelpDAO hackers took 1.5 days to swap nearly all of their 75,700 ETH holdings into BTC. According to reports, most of this occurred on THORChain, which amounted to about roughly $910,000 in platform fee revenue, reminiscent of the notoriety that the platform gained in February 2025 when the same suspected group laundered the loot from the Bybit $1.5 billion hack through the same venue. The smartest crypto minds already read our newsletter. Want in? Join them .

23 Apr 2026, 19:36

Arbitrum freezes over 30,000 ETH after KelpDAO exploit

🚨 Over 30,000 ETH frozen in $ETH after the KelpDAO hack. The Arbitrum Security Council took urgent action to lock funds. Continue Reading: Arbitrum freezes over 30,000 ETH after KelpDAO exploit The post Arbitrum freezes over 30,000 ETH after KelpDAO exploit appeared first on COINTURK NEWS .