In recent days, you've surely heard about the hack that affected LayerZero (bridge) and Kelp Dao (liquid staking protocol), which then spread to lending platforms (Aave, Fluid, Euler, Compound, etc.). The hack resulted in a $290 million hole with bad debts of over $200 million, primarily on Aave.
HOW DID THE HACK HAPPEN?
Layer Zero works through messaging systems that mint/burn tokens as they pass from one chain to another. To ensure reliability, Layer Zero relies on dozens of Decentralized Verifier Networks (DVN), and it's up to the protocol to decide which one to use. The more DVN you use, the higher the costs (primarily gas fees), so some protocols, to save money, opt for a minimal configuration. Attackers manipulated cryptographic signatures to bypass the consensus of honest DVNs. The hacker posed as the validating authority, self-certified a nonexistent deposit on the source chain, and forced the protocol to "mint" approximately 116,500 completely unbacked rsETH tokens ($290M) from thin air.
BORROWING ETH FROM LENDING PLATFORMS
Subsequently, the attackers, unable to sell rsETH on-chain (due to low liquidity), decided to deposit them on Aave, Compound, Euler, etc., borrowing $ETH with the specific intention of not returning it. Some vaults, due to the extremely high borrowing of $ETH, became saturated, no longer allowing withdrawals. Aave cannot create assets from thin air: if there are $330M and they are all borrowed, no one can withdraw.
This applies to any asset. Under "normal" conditions, a protocol incentivizes/disincentivizes deposits or loans by increasing/decreasing the supply/borrow apy. If liquidity is needed, the supply API increases; if an asset has high utilization (borrow), the API is increased. In this case, the deposit and the huge loan were instantaneous, so much so that it led to a bank run when word spread of the Kelp DAO exploit (among the first to withdraw were Justin Sun, Mexc exchange, and Abraxas Capital).
A brief recap?
1) ETH borrowed and never returned: bad debit on Aave.
2) Aave found itself with collateral in worthless rsETH tokens (impossible to liquidate).
3) Bank run with capital flight that emptied many vaults (primarily on Arbitrum and Ink Chain) between withdrawals and borrows. Aave lost about $8B in TVL.
4) ETH and rsETH vaults paused (to prevent further deposits and withdrawals).
6) $Aave token lost over 20%.
7) Other lending/farming platforms that use rsETH collateral or Aave vaults have been affected: Euler, Compound, Fluid, Ethena, Pendle (YT and PT tokens) and Tydro (Aave fork).
WHAT WILL HAPPEN NOW?
Deposits and withdrawals for ETH and rsETH vaults have been frozen. Some vaults, due to "high usage" (many borrowed assets), have drained liquidity, making withdrawals of other assets impossible (USDC, wBTC, etc.), resulting in a liquidity gap that impacts those who had deposited $ETH.
What resources does Aave have to repay?
1) A portion of the rsETH collateral has certainly been liquidated, so the bad debt does not include all the borrowed assets.
2) Treasury.
3) Umbrella staking (it's a 260M pool, 56M of which is in wETH, that acts as an insurance fund: users deposit in exchange for a higher-than-normal return but risk losing a large portion of their assets in the event of a bad debit. Is the risk worthwhile? I don't think so).
4) Possible external help (Tether "gave away" $148M in Drift after the hack in early April, in exchange for replacing USDC with USDT).
5) Possible bounty (hackers return the sum, keeping about 15-20% of the "legit" amount for themselves).
Aave Governance is currently deciding on a fund recovery strategy: the two most affected chains are Arbitrum and Mantle. Arbitrum has announced that it has frozen the stolen ETH.
I personally managed to withdraw everything before the pools saturated. I hope you were able to do the same!
Are you interested in ways to earn crypto bonus? Check it out here: Some Sites To Earn Crypto Bonus (Old & New)
