「DeFi 已死」：今年最大規模駭客攻擊暴露傳染風險，crypto 社群陷入混亂

📄完整原文· 由 trafilatura 自動擷取8029 字

'DeFi is dead': crypto community scrambles after this year's biggest hack exposes contagion risks Developers and traders warn of structural risks as a cross-chain exploit spreads fear and prompts billions to flee DeFi platforms. What to know: - A $292 million exploit of Kelp DAO's rsETH token triggered a broad liquidity crunch across DeFi, sparking heavy withdrawals from major lending platforms, including Aave. - Developers claim the hack stemmed from a misconfigured cross-chain verification setup in LayerZero-based infrastructure, exposing how flexible "modular" security, without strong minimum standards, can create systemic risk. - The incident, which affected about 18% of the rsETH supply and follows a string of large DeFi hacks this month, has intensified doubts about the sector's resilience and prompted protocols to freeze markets and urgently review their cross-chain configurations. The $292 million exploit of Kelp DAO has set off a wave of reactions across the crypto industry, with developers and traders warning that the incident exposed deeper flaws in how decentralized finance (DeFi) is built. Data shared by market participants shows the immediate fallout spread far beyond the hacked protocol. “The rsETH hack is leading to withdrawals across all lending protocols, even on solana and unaffected protocols,” 0xngmi said in one post on Sunday, pointing to steep outflows including “Aave: -6,200m (-23%) net inflows” and smaller but notable declines across Morpho, Sky and JupLend. rsETH is liquid restaking protocol Kelp DAO's restaked ether and is a Liquid Restaking Token (LRT) that allows users to earn ether staking and restaking rewards while keeping their assets liquid, even when they are locked in staking. That pressure quickly turned into something more severe. One widely circulated post by Josu San Martin described cascading liquidity stress inside lending markets: “ETH depositors cannot withdraw the ETH so they are borrowing stables to ‘withdraw’ funds… This is a full on run on AAVE.” While Stani Kulechov, Aave's founder, said the exploit was external and that the protocol's contracts were not compromised, the depositors panicked. The total value locked (or deposits) dropped from $26.4 billion on April 18 to nearly $20 billion in U.S. morning hours on Sunday, per DefiLlama. The AAVE token also fell more than 18% as depositors scrambled to withdraw their money through the weekend. A 'case study' The exploit itself has become a focal point for engineers and developers. Several developers pushed back on early assumptions that the issue stemmed from core infrastructure. “The KelpDAO exploit (~$290M, is NOT a LayerZero protocol bug. It's a configuration issue and a case study every project with a cross-chain token needs to look at today,” one technical breakdown by cryptogoblin read. The thread detailed how a single verification point enabled the attack. “One signature and 116,500 rsETH materialized out of thin air on Ethereum,” the post said, describing a system where “the [smart] contracts weren't broken. The verification layer was,” the post claimed. Others argued the problem runs deeper than a single setup choice. One critique, who goes by Fishy Catfish on X, framed it as a design flaw, alleging that: “there is no security floor… A configuration can be a 1/1 DVN and the DVN you chose can be a single node ran by a single entity.” A DVN (Decentralized Verifier Network) in DeFi, specifically within LayerZero V2, is an independent entity responsible for validating and attesting to the authenticity of messages sent across different blockchain networks. Essentially, DVNs verify message hashes between a source chain and a destination chain. To make the point clearer, the author drew a real-world comparison: “imagine if a roller coaster manufacturer allowed amusement parks to individually decide what the minimum safety specs were.” Essentially, the author is simply saying that flexibility without guardrails can create hidden risks. The post went so far as to claim that the setup was the problem within the design. "I personally think this is a flawed design. Modular security is a worthwhile design space, however, the range of security should have a native security floor that is quite strong, and then allow *additional* layering of security on top of that for more high-value use-cases." 'DeFi is dead' It's not just the amount and complexity of the exploit that drew the harsh, panicked criticism. The scale of the exploit has heightened concerns. Roughly 116,500 rsETH, about 18% of supply, was affected. The attacker tricked LayerZero's cross-chain messaging layer into believing a valid instruction had arrived from another network, which triggered Kelp's bridge to release 116,500 rsETH to an attacker-controlled address. Protocols responded by freezing markets and pausing features. Aave halted rsETH activity. Lido paused deposits tied to the asset. Other projects took similar steps to limit exposure as the situation unfolded. Beyond the technical debate, sentiment across crypto turned sharply negative. One post perhaps captured the mood shift in blunt terms: “DeFi is dead… ‘just use aave’ is dead,” while adding that “The age of crypto is over” and asking, “If you're reading this - why are you still in crypto?” While the response may sound like an overreaction, that kind of 'knee-jerk' reaction is not unusual after large exploits, but the breadth of this event stands out. The attack affected cross-chain infrastructure, restaking models and lending markets simultaneously. It also follows a string of recent incidents. The hack lands in an unusually hostile stretch for DeFi, particularly this month. Solana-based perpetuals protocol Drift was drained of about $285 million on April 1 in an attack later linked to North Korea-affiliated actors, and at least a dozen smaller protocols have been exploited in the weeks since, including CoW Swap, Zerion, Rhea Finance and Silo Finance. 'Check your configs' Despite all the explanations, there are still more questions than answers. Even LayerZero is still trying to figure out the full details of the exploit. "We’re fully aware of the rsETH exploit and have been in active remediation with the @KelpDAO team since the incident and continue to monitor. All other applications remain safe," it said in a post on X. "We are still identifying the root cause alongside @_SEAL_Org and others. We will publish a complete post-mortem with @KelpDAO as soon as we have all information." KelpDAO echoed this sentiment. "Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate. We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA. We will keep you posted as we learn more about this situation." Still, some developers see a clearer lesson in the chaos. The exploit did not rely on breaking encryption or bypassing smart contracts. Instead, it exposed how fragile systems can become when they depend on layered assumptions. In simple terms, the tools worked as designed. The way they were configured did not. That distinction may shape what comes next. Builders are now urging projects to review their setups, especially those relying on cross-chain messaging. As cryptogoblin put it bluntly: “Check your configs. Stay safe out there.” Read more: DeFi yields are crashing so hard that they can't compete with a traditional savings account More For You Odds favor a Democratic rise in Congress next year, when lawmakers who've begun going after firms such as Kalshi and Polymarket may have greater sway. What to know: - Prediction markets are having a moment in the U.S., though unfortunately for Polymarket and Kalshi, the moment has drawn more than half a dozen pieces of critical congressional legislation. - The industry is getting getting tied to accusations of insider trading and sports-betting violations from various critics even as its close...

資料狀態✓ 已擷取全文閱讀原文（CoinDesk）

🔍歷史類似事件· 關鍵字 + 標的比對6 則

2026-04-19

「DeFi 已死」：今年最大駭客攻擊事件暴露傳染風險，crypto community 陷入混亂

相似度 620%關鍵字 community/exposes/contagion同分類 hot

2026-04-20

Bitcoin 彈升至 $76,000 以上，DeFi 因 KelpDAO 被駭導致 $140 億資金出走

相似度 220%關鍵字 defi/hack/after同分類 hot

2026-04-17

與俄羅斯有關的加密貨幣交易所 Grinex 在遭駭 1,400 萬美元後暫停交易

相似度 220%關鍵字 hack/after/crypto同分類 hot

2026-04-19

Aave 的 TVL 下跌 60 億美元，Kelp 駭客事件暴露了該 DeFi 借貸平台的結構性風險

相似度 180%關鍵字 defi/hack/exposes

2026-04-19

Aave 存款減少 60 億美元，Kelp 駭客攻擊暴露 DeFi 借貸平台的結構性風險

相似度 180%關鍵字 defi/hack/exposes

2026-04-20

在 Paul Atkins 領導下的一年裡，SEC 對加密貨幣的立場顯示出與過去的決裂

相似度 170%關鍵字 year/crypto同分類 hot

💡 目前用關鍵字 + 標的比對（MVP）· 之後會升級為 embedding 語意搜尋

原始資訊

ID：37aba5cc92

來源：CoinDesk

發佈：2026-04-19 16:49:03

分類：hot · 導出分類 hot

標的：未指定

社群投票：+0 / −0 · ⭐ 1 重要 · 💬 0 留言