OVERVIEW

What The Kelp Happened 🤦

Here’s What’s Happening 👇️

Another weekend, another bridge exploit, another nine-figure hole in a DeFi lending protocol. The Kelp DAO drain is just the seventeenth major bridge to fall down since 2021.

Here's what happened, who's holding the bag, and absolutely no explanation of why people still keep using bridges. Seriously. Why. When. Will. It. Stop.

Anyway.

Before we dive in, here’s today’s crypto crypto’s total market and altcoin market cap charts:

THE CASHTAG AWARDS
The BIGGEST night in Finance. May 4th. NYSE.

The Cashtag Awards are built by the Stocktwits community and it wouldn't be the same without you in the room!

We're offering a limited number of fully comped tickets for members who want to show up, represent, and help make this night as special as it should be.

Want to celebrate with us on May 4th?

NEWS
What Is A Bridge, Exactly? 🤔

Before we dive into DeFi’s latest tale of suck, not everyone knows what a bridge is. 🌉 

Crypto doesn't live on one blockchain. It lives on $ETH ( ▲ 2.51% ) , $SOL ( ▲ 0.89% ) , $ADA ( ▲ 1.87% ) , $SUI ( ▲ 0.88% ) , and twenty other networks that don't natively speak to each other. Your ETH on Ethereum can't walk over to Solana on its own.

The chains don't share a ledger, don't share consensus, and don't know the other one exists.

Bridges were designed to solve that. The idea makes sense: let users move value between chains seamlessly, and make crypto feel like one unified system instead of a dozen walled gardens.

The mechanic is straightforward. You want to move 1 ETH from Ethereum to Solana. The bridge locks your ETH in a smart contract on Ethereum and mints 1 "wrapped ETH" on Solana, backed one-to-one by the real ETH in the vault. The wrapped version (wETH) trades, lends, and borrows on Solana just like the real thing. Want to come home? Burn the wrapped version, unlock the original.

Think of it as a paper warehouse receipt. A vault in Chicago holds gold bars. A bank in London issues certificates, each redeemable for one bar. The certificates trade freely. As long as the gold is really in the vault, the paper is as good as gold. Drain the vault, and every certificate in circulation is suddenly worth nothing.

And that's where the story turns into tragedy. Well, at this point, it’s more of a comedy, a dark comedy.

The good idea built a very bad honeypot. Every bridge holds hundreds of millions, sometimes billions, in locked assets, guarded by infrastructure that has repeatedly failed to the same handful of attack vectors.

And that brings us to where we are today. 📆

NEWS
What The Kelp Happened 🤦 

Somewhere right now, a DeFi product manager is drafting a Medium post about "lessons learned." Save them the trouble. The lesson is the one Vitalik wrote down on January 7, 2022 - four years, three months, and eleven days ago.

Bridges are structurally fragile. Bridged assets are not native assets. You cannot wrap your way out of a key-compromise problem, a 51% problem, or a DVN configuration problem. 

Aaaand here we are anyway.

Well, That Sucks: The Number

$292 million - the 116,500 rsETH a Lazarus Group affiliate walked out of Kelp DAO's $ZRO ( ▼ 0.57% ) bridge with at 17:35 UTC on Saturday. Eighteen percent of the entire circulating rsETH supply. Since the drain, DeFi TVL has dropped roughly $13.21 billion in 48 hours.

So… What Happened? How?

• Lazarus compromised two RPC (Remote Procedure Call, basically a way for one computer to ask another to do something like ‘hey, give me the balance of this wallet’) nodes that LayerZero Labs' DVN relied on, then DDoS'd the clean ones until the verifier failed over to the poisoned ones.

• Kelp was running a 1-of-1 DVN - LayerZero Labs as the sole verifier - against LayerZero's own published integration guidance recommending multi-DVN redundancy.

• The DVN approved a fake cross-chain message, the bridge released 116,500 rsETH, and every L2 with wrapped rsETH on it is now pointing at an empty vault.

• The compromised RPC nodes ran custom malware that selectively lied to the DVN while telling the truth to every other observer, then self-destructed after the attack - designed specifically to bypass LayerZero's own monitoring.

The smart contracts worked exactly as written. Which, these days, feels as good as, ‘I was just doing my job.’

The Damage In Dollars. And Pride

• Aave bad debt: $177M–$200M, concentrated in the WETH pool on Ethereum.

• Aave TVL: $26.4B to $17.95B in 48 hours.

• $AAVE ( ▲ 3.34% )  token: -12% on the 18th, -11% on the 19th. Sat to Sunday losses totaled -21.5%.

• WETH pool utilization: 100%. Withdrawals frozen in practice, if not in name.

• rsETH frozen across: Aave V3, Aave V4, SparkLend, Fluid, Upshift, Lido earnETH, Morpho.

• Umbrella versus the hole: $50M in the aWETH vault against $196M of bad debt.

It’s Been A Shite Year For Aave

• January 29 - Aave activates rsETH E-Mode at 93% LTV, compressing the safety buffer from 28% to 7% in the name of "competitiveness." Same day, SparkLend exits rsETH entirely at its 72% LTV.

• April 6 - Chaos Labs, the firm that grew Aave V3 from $5B to $26B TVL with effectively zero material bad debt, resigns over a funding and governance dispute.

• April 9 - LlamaRisk, now sole risk steward, raises the rsETH supply cap from 480K to 530K.

• April 12 - The "Aave Will Win" proposal passes. Stani calls it "the most important proposal in Aave's history."

• April 18 - Marc Zeller, the ACI founder who authored the 93% LTV proposal in January, posts on X: "withdraw now, ask questions later."

Six days between "most important proposal in Aave's history" and "bank run the WETH pool."

The industry's response, predictably, is that this was a configuration failure, not a protocol failure. Fine. Call it whatever you want.

The money is still gone, the WETH pool is still impaired, and somewhere, another project is writing a blog post about the innovative new bridge they just shipped.

One validator. One oracle. One DVN. One something. The class of vulnerability never changes. The dollar figures just keep getting bigger.

Bridges are bad. They have always been bad. They will continue to be bad. And we will continue to use them, because a $3 billion running tab apparently isn't enough evidence to stop. 🤦 

ON-CHAIN ANALYSIS
This Is How Bad Bridges Are 😯 

Top 10 Bridge Hacks of All Time

• #1 - Ronin Network (Axie Infinity) - March 23, 2022 - $624M - Lazarus compromised 5/9 validator keys via a fake LinkedIn job offer loaded with spyware.

• #2 - Poly Network - August 10, 2021 - $611M - Keeper role set to attacker's address via a smart contract vulnerability; most funds eventually returned.

• #3 - BNB Bridge (BSC Token Hub) - October 6, 2022 - $570M - Forged Merkle proof; $110M unrecoverable after BNB Chain was halted eight hours.

• #4 - Wormhole - February 2, 2022 - $325M - Signature verification bypass; attacker minted 120,000 unbacked wETH on Solana.

• #5 - Kelp DAO / LayerZero - April 18, 2026 - $292M - 1-of-1 DVN compromised via RPC node poisoning and DDoS; Lazarus attribution.

• #6 - Nomad Bridge - August 1, 2022 - $190M - Initialization bug during an upgrade made every message valid; hundreds of copycats piled on.

• #7 - Multichain - July 6, 2023 - $126M - MPC key compromise; widely suspected insider rug after the CEO's arrest in China.

• #8 - Harmony Horizon Bridge - June 23, 2022 - $100M - Lazarus compromised 2/5 multisig validator keys.

• #9 - Heco Bridge (Huobi/HTX) - November 22, 2023 - $87M - Private key compromise of the bridge operator.

• #10 - Orbit Chain - January 1, 2024 - $81M - Multisig compromise; 7 of 10 signer keys drained the bridge.

Fun-ish Stats

• Cumulative bridge losses across these 10: $3.41 billion

• Five of the top ten were Lazarus Group / DPRK-linked (Ronin, Harmony, Heco almost certainly, arguably Multichain, now Kelp)

• Six of ten were key compromise or signer failures (Ronin, Poly, Multichain, Harmony, Heco, Orbit)

• Four of ten were verification / message-forgery exploits (BNB Bridge, Wormhole, Nomad, Kelp)

• Zero of these have the bridge operators learning anything from the previous nine

DEFI
Not A Rave You Wanted To Attend 😶

Hey, as long as we’re doom scrolling, here’s another: $RAVE ( ▼ 2.09% ) .

Rave probably popped up on your radar a few times over the last few weeks. Hell, it even moved into the top 20 by market cap for crypto - but it left that room faster than an unannounced visit home and seeing mom and dad, um, well it GTFO fast.

And before some of you ask, yes, that daily chart above is the logarithmic chart. Anyway, this rug pull of a ticker hit a high of $28.57 on Saturday and then closed at $0.63 on Sunday. -97.77%. In two days.

The market cap chart is even sadder. Or funny. Depends on if you bought any or not.

From a high of a little over $7B on Saturday to $182M as of this afternoon. Ouch.

So What Happened?

That’s still being hashed out. Per ZachXBT and the on-chain evidence: four wallets controlled 95%+ of supply, roughly $42 million was moved to Bitget right before the move, liquidity was pulled, and more than $37 million in shorts got liquidated in the squeeze before insiders exited.

Standard "pump brings in the bag holders, squeeze traps the shorts, insiders walk" choreography - just at a size that's hard to ignore.

What's new as of the last 24 hours: Binance, Bitget, and Gate.io have all publicly opened investigations. Bitget's Gracy Chen confirmed a probe, Binance's Richard Teng pledged to look into market misconduct, and Gate's Kevin Lee said they were already on it. ZachXBT has a $25K whistleblower bounty out, $10k of that is his own money.

RaveDAO denies involvement. I’ll keep you updated as things develop. 📰 

OLD NEWS
Crypto Stuff That Happened Today, But A Long Time Ago 📜

Here’s what was happening in the newsletter a year ago today:

• This was a weekend data-dive issue - more market scoreboard than headline circus.

• Crypto was still sitting below its highs.

• DEX was the standout sector - up 12.9% on the week.

• Most sectors were green - Top 25, AI, DeFi, Lending, Proof-of-Stake, Proof-of-Work, Privacy, Smart Contracts, and Web3 all posted gains.

Here’s what was happening in the newsletter two years ago today:

• Bitcoin’s halving was only hours away.

• The technical focus was on ADA, MINA, RNDR, and DOGE.

• A commercial real estate debt mess was looming - about $930B in debt coming due, with regional banks holding the bag.

• Justin Sun and Tron got deeper into SEC trouble - while Telegram was pitching TON-based NFT stickers and Avraham Eisenberg got nailed in the Mango Markets case.

OLD NEWS
Other Stuff That Happened Today, But A Long Ass Time Ago ⌛️

April 20

• 1152 - Baldwin III wins control of the Kingdom of Jerusalem. Also, Kingdom of Heaven is one of the worst movies ever.

• 1303 - Mongol invasions into the Levant end when the Egyptian Mamluk Sultanate defeats the Mongol Ilkanate general Qutlughshah and their allies at the Battle of Marj al-Saffar.

• 1653 - Oliver Cromwell dissolves the Rump Parliament.

• 1792 - The French Revolutionary Wars begin.

• 1836 - the Wisconsin Territory is created by Congress.

• 1861 - Robert E. Lee resigns his commission in the U.S. Army to command forces of his native Virginia.

• 1898 - The Spanish-American War begins.

• 1918 - The Red Baron, Mandred von Richtofen, shoots down his 79th and 80th victims a day before his own death.

• 1946 - The League of Nations dissolves.

• 2008 - Danica Patrick wins Indy Japan 300, the first woman to win an Indy car race.

• 2020 - Oil prices drop below zero for the first time in history.

Get In Touch 📬

Email me, Jonathan Morgan, feedback; I’d love to hear from you. 📧
Follow me on Stocktwits 🫂 And Sponsor this newsletter 😎 

Terms & Conditions 📝

Securities Disclaimer: STOCKTWITS IS NOT A TAX ADVISOR, BROKER, FINANCIAL ADVISOR OR INVESTMENT ADVISOR. THE SERVICE IS NOT INTENDED TO PROVIDE TAX, LEGAL, FINANCIAL OR INVESTMENT ADVICE, AND NOTHING ON THE SERVICE SHOULD BE CONSTRUED AS AN OFFER TO SELL, A SOLICITATION OF AN OFFER TO BUY, OR A RECOMMENDATION FOR ANY SECURITY. Trading in such securities can result in immediate and substantial losses of the capital invested. You should only invest risk capital, and not capital required for other purposes. You alone are solely responsible for determining whether any investment, security or strategy, or any other product or service, is appropriate or suitable for you based on your investment objectives and personal and financial situation. You should also consult an attorney or tax professional regarding your specific legal or tax situation. The Content is to be used for informational and entertainment purposes only and the Service does not provide investment advice for any individual. Stocktwits, its affiliates and partners specifically disclaim any and all liability or loss arising out of any action taken in reliance on Content, including but not limited to market value or other loss on the sale or purchase of any company, property, product, service, security, instrument, or any other matter. You understand that an investment in any security is subject to a number of risks, and that discussions of any security published on the Service will not contain a list or description of relevant risk factors. In addition, please note that some of the stocks about which Content is published on the Service have a low market capitalization and/or insufficient public float. Such stocks are subject to more risk than stocks of larger companies, including greater volatility, lower liquidity and less publicly available information. Read the full terms & conditions here. 🔍

Author Disclosure: The author of this newsletter holds positions in AVAX, ADA, PUDGY, WLD, NEAR, INJ, LTC, LINK, ZEC, XLM, and FET. 📋