News linked to this event type.
Solv Protocol has announced the migration of over $700 million in tokenized Bitcoin assets to Chainlink's cross-chain protocol CCIP, and will gradually phase out LayerZero's bridging support across multiple chains. The migration involves core assets such as SolvBTC and xSolvBTC. Solv stated that the decision is based on the latest security reviews and recent cross-chain security incidents, and CCIP will become its standard cross-chain infrastructure. This move follows Kelp DAO's migration of approximately $290 million in assets to Chainlink, further strengthening the trend of "cross-chain infrastructure shifting toward security-first migration." (CoinDesk)
Linda Jeng, Chief Legal and Policy Officer at Aave Labs, stated during Consensus Miami 2026 that Aave's previous risk framework overly focused on financial risks and price volatility. Looking ahead, the protocol will incorporate assessments of cross-chain interoperability, cybersecurity vulnerabilities, and underlying asset architecture.This reform directly stems from the rsETH incident that occurred in April. At that time, an attacker exploited a vulnerability in the KelpDAO cross-chain bridge to mint approximately 116,500 unbacked rsETH (valued at around $293 million), deposited it as collateral into Aave, and borrowed real WETH, leading to significant bad debt risks for the protocol.Jeng revealed that Aave will also release a formal "listing standards handbook" for asset issuers in the future, and will begin evaluating the correlation between DeFi protocols from a systemic risk perspective, rather than analyzing individual pools in isolation.Additionally, a "DeFi United" bailout plan involving Lido Finance, EtherFi, Ethena, and others has been launched to cover collateral shortfalls and prevent further proliferation of bad debt. (CoinDesk)
Lido has provided the latest update on the Kelp security incident, stating that the Snapshot vote regarding the EarnETH first-loss protection mechanism falling below the 1% threshold has reached quorum and been approved. User losses from EarnETH will be fully covered by Lido Earn’s first-loss mechanism. The rsETH held by the attacker has been liquidated, and the related stETH has been transferred to the DeFi United rescue plan.Additionally, the EarnETH vault is expected to reopen shortly after the Kelp protocol resumes operation, at which point users will be able to deposit and withdraw funds normally. Lido emphasized that during the freeze period, both the EarnETH and EarnUSD vaults continued to generate yield. Currently, EarnETH users only need to wait for a brief unfreezing process to complete. Once funds are restored, compensation will be provided in accordance with the first-loss protection mechanism.
1inch market maker TrustedVolumes confirmed on the X platform that it had been attacked, disclosing that the stolen funds are currently held in three addresses, with a total amount of approximately $6.7 million. Two of the addresses each hold about $3 million in assets, while another address holds approximately $700,000 in assets. Meanwhile, TrustedVolumes expressed its willingness to engage in constructive communication with the attacker regarding a bug bounty and mutually acceptable solutions.
According to Cointelegraph, Marlon Ferro, a 20-year-old man from California known online as “GothFerrari,” was sentenced to 78 months in federal prison, three years of supervised release, and ordered to pay $2.5 million in restitution for his involvement in a cryptocurrency theft ring responsible for over $250 million in losses. Prosecutors stated that when co-conspirators were unable to remotely breach victims’ systems or trick them into surrendering their crypto assets, Ferro carried out physical break-ins to steal hardware wallets containing the funds. The group operated from late 2023 through early 2025 and its members were also involved in database intrusions, target identification, scam phone calls, and money laundering. The investigation was led by the FBI and the IRS Criminal Investigation Division.
1inch announced on X that it has taken note of the reports concerning TrustedVolumes and confirmed that neither 1inch nor any of its protocols are involved in this incident. The 1inch system, infrastructure, and user funds remain unaffected. TrustedVolumes operates independently as a liquidity provider and is utilized by multiple protocols across the industry—not exclusively by 1inch.
1inch posted on X platform, stating it has taken note of reports concerning TrustedVolumes and confirmed that neither 1inch nor any of its protocols are involved in the incident. The 1inch system, infrastructure, and user funds remain unaffected. TrustedVolumes operates independently as a liquidity provider and is utilized by multiple protocols within the industry, not exclusively by 1inch. 1inch will continue to monitor the situation and actively assist relevant security parties as appropriate.
According to on-chain data platform Santiment (@SantimentData), as Bitcoin’s price reclaimed the $80,000 level, the ratio of bullish-to-bearish comments on social media rose to 1.37:1.00—the highest in nearly four months—signaling a notable surge in market optimism. However, Santiment cautions that historically, sharp increases in bullish sentiment often serve as warning signs rather than buy signals. When retail FOMO dominates social media discussions, traders tend to enter positions late in the trend, raising the likelihood of local tops, profit-taking, and sudden price volatility. Santiment notes that peak market euphoria frequently coincides with the onset of waning momentum. By comparison, following the Kelp DAO vulnerability incident in mid-April, social sentiment plunged into deeply bearish territory; the exit of “weak-handed investors” instead laid a healthier foundation for the current rally. With sentiment now having reversed dramatically, Santiment advises traders to remain vigilant against potential risks stemming from excessive leverage and overly concentrated positions.
According to The Block, a U.S. federal court sentenced Marlon Ferro of California—known online as “GothFerrari”—to 78 months in prison, three years of supervised release, and $2.5 million in restitution. Ferro participated in a nationwide social engineering fraud scheme spanning from late 2023 to early 2025, involving over $250 million worth of cryptocurrency assets. The criminal group employed a range of tactics—including database breaches, fraudulent phone calls, money laundering, and residential burglaries—specifically targeting victims holding large amounts of cryptocurrency assets. Ferro carried out two residential burglaries to steal hardware wallets and assisted in laundering illicit funds. U.S. prosecutors stated that this sentence sends a clear message: cryptocurrency fraud is a serious criminal offense and will result in federal imprisonment.
According to PeckShieldAlert’s monitoring, TrustedVolumes was attacked, resulting in losses of approximately $5.9 million, including $3.02 million in ETH, $1.37 million in WBTC, and $1.47 million in stablecoins; the attacker has exchanged the stolen funds for 2,513 ETH.
According to CertiK Alert, an attacker stole approximately $5.87 million. The attacker exploited a public function to register as an AllowedOrderSigner and then executed orders to transfer pre-approved funds from victims’ addresses. CertiK urges users to immediately revoke approvals for the vulnerable contract and remain vigilant.
Aave stated that, per the previously disclosed technical recovery plan, the attacker’s rsETH positions on Ethereum and Arbitrum have been liquidated on Aave, and the associated collateral assets have now been transferred to the Recovery Guardian address designated by the AIP. Aave noted that this action did not impact other users, nor did it affect the Umbrella mechanism, and emphasized that this step is a critical milestone in the overall recovery roadmap, with further recovery efforts continuing as planned.
Aave has announced the completion of the liquidation of the remaining rsETH position belonging to the Kelp DAO attacker. The related collateral assets will be transferred to the Recovery Guardian multi-signature wallet managed by DeFi United, to be used for restoring rsETH reserves and compensating affected users.This liquidation is part of the recovery plan following the previous $292 million attack incident. Aave had previously passed a governance vote to temporarily adjust the rsETH oracle price in order to create bad debt in the attacker's position and trigger liquidation. The relevant parameters will be restored upon completion of the liquidation. Previously, the attacker exploited the Kelp DAO cross-chain bridge based on LayerZero to forge 116,500 unbacked rsETH and borrowed ETH from protocols such as Aave and Compound. Currently, the recovery funds managed by DeFi United have exceeded $320 million.
According to Cointelegraph, Coinbase has been sued in a U.S. federal court in California over frozen funds linked to a $55 million DAI phishing theft that occurred in 2024. The plaintiffs allege that some traceable stolen funds—after being mixed via Tornado Cash—were deposited into Coinbase retail user accounts and remain frozen. Coinbase states it can only release the assets after a court rules on their ownership. The complaint also links the theft to the malicious wallet drainer platform Inferno Drainer. Victims had engaged Zero Shadow and Five Stones Intelligence to track the stolen funds.
: Bitcoin Core developers have disclosed a high-risk vulnerability numbered CVE-2024-52911, affecting versions 0.14.1 through 28.4. Attackers can exploit this vulnerability by constructing a special block to remotely crash other nodes and execute code. The vulnerability was discovered and privately reported by developer Cory Fields in November 2024. The fix was merged in December 2024 and officially launched in the v29 release in April 2025.Currently, support for the last vulnerable version in the 28.x series ended on April 19, 2026. However, since upgrading Bitcoin nodes is voluntary, it is estimated that approximately 43% of nodes are still running vulnerable old versions, posing a potential security risk.
Kelp DAO has announced the migration of its restaking token rsETH to Chainlink CCIP, citing enhanced security as the reason for this move. Previously, a cross-chain bridge built by Kelp DAO on LayerZero was attacked on April 18, with hackers stealing approximately 116,500 rsETH, valued at around $292 million, and using the assets as collateral to borrow WETH on Aave v3.Regarding the cause of the vulnerability, LayerZero previously stated that the issue stemmed from Kelp DAO using a single DVN verification path configuration rather than multiple independent verifications. Kelp DAO responded that this configuration was the default setting and that LayerZero had confirmed its security without flagging any related risks. LayerZero CEO Bryan Pellegrino subsequently denied this claim, stating that Kelp DAO had proactively modified the default multi-DVN configuration. Both parties continue to dispute responsibility for the incident. (Cointelegraph)
According to security firm Blockaid (@blockaid_), Ekubo Protocol’s v2 custom extension contract on Ethereum is under an ongoing attack, resulting in losses of approximately $1.4 million so far. The root cause lies in the IPayer.pay callback within this extension, which fails to properly restrict the origin of its parameters—enabling attackers to control the payer, token, and amount parameters and thereby arbitrarily transfer authorized tokens. Users of Ekubo’s core protocol remain unaffected; however, users who have authorized the v2 contract (0x8CCB1ffD5C2aa6Bd926473425Dea4c8c15DE60fd) as a token spender face direct risk. Blockaid recommends that affected users immediately revoke their approvals.
慢雾创始人余弦于 X 平台发文表示,“Ekubo 有关合约被恶意利用。原因是如果用户之前将相关代币授权给:0x8CCB1ffD5C2aa6Bd926473425Dea4c8c15DE60fd;如这位用户 0x765DEC 的这笔 WBTC 无限授权(158 天前):攻击者可指定已授权用户作为 payer,在 payCallback 中让该合约调用 WBTC transferFrom(victim, Ekubo Core, amount),再通过 Ekubo Core(0xe0e0e08A6A4b9Dc7bD67BCB7aadE5cF48157d444) 的 withdraw/pay 平账流程把资产转给攻击者。这个操作执行了 85 次,每次 0.2 WBTC,最终用户 0x765DEC 损失 17 WBTC。建议用户尽快安装官方提醒检查以下合约授权:0x8ccb1ffd5c2aa6bd926473425dea4c8c15de60fd (V2)0x4f168f17923435c999f5c8565acab52c2218edf2 (V3)Arbitrum: 0xc93c4ad185ca48d66fefe80f906a67ef859fc47d (V3)。”
Ekubo Protocol officially stated on the X platform that an active security incident has been identified in the Ekubo Swap Router contract on EVM chains. The impact is limited to EVM chains, with LPs unaffected; Starknet is also unaffected. The team is investigating the scope of the issue, but as a safety precaution, users are advised to revoke all approvals.
According to Decrypt, an anonymous cryptocurrency whale filed a lawsuit against Coinbase this week in the U.S. District Court for the Northern District of California, accusing the exchange of refusing to return over $55 million worth of DAI stablecoins stolen in a phishing attack in 2024. The plaintiff claims to have engaged multiple on-chain investigation firms to trace the funds, ultimately identifying that the stolen assets flowed into a Coinbase account. Coinbase confirmed in December 2024 that it had frozen the relevant assets but refused to return them, citing the need for a court order. As of today—more than a year and a half after the incident—the victim has still not recovered the assets and has therefore turned to litigation. The attack was carried out by hackers using the “Inferno Drainer” tool to spoof the DeFi Saver login page; after the victim inadvertently interacted with the fake page, their wallet was fully compromised by the attackers.