(Bloomberg) — A weekend hack that saw almost $300 million drained from a little-known crypto project has triggered a crisis of confidence among decentralized-finance investors, with users pulling billions of dollars from DeFi’s biggest lending platform.
The hackers deposited about $200 million of the tokens they stole on Aave as collateral for borrowing another cryptocurrency, according to cybersecurity researcher PeckShield. That move sparked fears among depositors about possibly worthless collateral on Aave, causing a rush for the exit, crypto portfolio manager Pratik Kala said.
All told, Aave has recorded some $9 billion of net outflows since Saturday, when news of the heist first emerged, data from industry tracker DefiLlama shows. Total value locked on the platform — a measure of assets held there — plunged by more than a third to $17.5 billion.
“Depositors are running because Aave is carrying a hole it did not create,” said Kala, a portfolio manager at Australia-based digital-asset hedge fund Apollo Crypto. “Withdraw first, ask questions later is the golden rule.”
Aave representatives didn’t immediately respond to a request for comment.
The incident underscores security vulnerabilities that persist in DeFi, where users trade, borrow and sell crypto without a central intermediary. It comes just weeks after a heist that saw $280 million stolen from Drift Protocol, another DeFi platform.
The hackers are are likely affiliated with North Korea based on the sophistication and scale of the exploit, cybersecurity researcher Cyvers said. They stole a derivative form of Ether, the second-largest cryptocurrency, by targeting software that connects different blockchains. The software protocol was operated by Kelp DAO, a platform that enables so-called restaking.
Such protocols, called cross-chain bridges, represent a key vulnerability in the cryptoasset ecosystem and have been repeatedly been targeted by hackers in past years. LayerZero, which developed the bridge used by Kelp DAO, also said North Korean hackers are likely behind the latest exploit.
Kelp DAO has paused operations while it investigates the breach.
Normally, hackers tend to launder their loot by swapping tokens through a series of transactions engineered to make it difficult to track, or by using so-called crypto mixers. In the latest attack, they deviated from that pattern.
Rather than simply cashing out, the hackers deposited the tokens — called rsETH, short for “restaked” Ether — as collateral across multiple platforms. In total, they borrowed $236 million this way, the bulk of it over Aave, PeckShield estimated.
Aave responded by freezing rsETH markets on its platform. On Sunday, it said in a post on X that its analysis shows rsETH traded on the Ethereum blockchain remains fully backed, but restrictions will stay in place as a precaution.
But the damage was already done. Many Aave users who were unsure whether the rsETH tokens were fully backed or effectively “minted out of thin air” elected to just withdraw their funds from the platform since it isn’t clear who’s on the hook for any losses, said Kala. In essence, it was the DeFi equivalent of a classic bank run, he added.
More stories like this are available on bloomberg.com
