attack

Michael Egorov, the founder of Curve Finance, posted on the X platform expressing hope that Aave can address the relevant issues. He pointed out that non-isolated lending has good scalability but carries higher risks, with the key being risk management, an area where Aave has historically performed well.He stated that the market can adopt a fully isolated model like that of Curve Finance or a hybrid model, although the latter is very complex, it is feasible. However, the market has yet to understand its advantages. Michael Egorov also mentioned that Aave v4's hub and spoke model might be a step towards a semi-isolated and safer direction.

Due to the Kelp DAO attacker using stolen rsETH to collateralize and borrow ETH on Aave, Aave is suspected to have bad debts, with the specific amount currently unknown.Aave officials stated: "The rsETH market on Aave V3 and Aave V4 has been frozen. We are reviewing the rsETH borrowing information that occurred on Aave after the attack and will share more details as soon as possible. If the protocol has accumulated bad debts due to this incident, we will explore ways to compensate for the losses."OKX market shows that AAVE is currently at 105.15 USDT, down 9.56% in the last 24 hours.

According to Vitalik Buterin (@Vitalik Buterin), the DNS registrar of eth.limo was attacked, and users are advised not to visit vitalik.eth.limo or other eth.limo related pages temporarily, until the official confirmation of normal recovery.

According to RHEA Finance's official disclosure, the NEAR ecosystem lending protocol RHEA Finance (formerly known as Burrow Finance) experienced a margin trading feature hack, resulting in a loss of approximately $18.4 million.The attacker began laying the groundwork several days prior by creating multiple fake token pools on Ref Finance and injecting liquidity, constructing a malicious exchange route that exploited a vulnerability in the protocol's slippage protection mechanism—this mechanism did not account for the scenario where intermediate tokens were reused when calculating the minimum output of multi-step exchanges—leading to the borrowed debt tokens being directed into fake token pools controlled by the attacker, triggering a large-scale forced liquidation that ultimately drained the protocol's reserve pool. During the attack, the attacker deleted a total of 55 intermediate accounts to cover their tracks. Currently, the attacker has returned approximately 3.359 million USDC and 1.564 million NEAR to the RHEA lending contract, while another 4.34 million USDT has been frozen (of which Tether froze 3.291 million and NEAR Intents froze 1.053 million). The protocol contract has been suspended, and the team is collaborating with centralized exchanges for joint tracking and has notified relevant law enforcement agencies.

Rhea Finance released an attack review report, confirming that the actual loss from this vulnerability is approximately $18.4 million, significantly up from the initial estimate of about $7.6 million. The attacker constructed complex trading paths, manipulated liquidity using fake token pools, and directed borrowed assets into pools under their control, while only returning a minimal amount of assets, causing a large number of margin positions to quickly become under-collateralized and trigger liquidation, ultimately depleting the protocol's reserve funds.Currently, approximately $11.2 million in funds have been recovered or frozen, including some USDC and NEAR assets returned by the attacker, as well as about $4.34 million in USDT that has been frozen (with assistance from Tether).

According to the threat intelligence released by the SlowMist security team, its threat intelligence system MistEye has received community feedback regarding an active social engineering attack targeting cryptocurrency users.The attackers contact target users under the pretext of project collaboration, luring them to use a counterfeit "Harmony Voice" software (domain: harmony-voice[.]app) for so-called real-time translation, which is actually malware. SlowMist has synchronized the relevant threat intelligence (IOC) to its corporate clients.

According to Cointelegraph, since the $280 million attack on Drift Protocol on April 1, at least 12 DeFi protocols and cryptocurrency companies have been attacked in just over two weeks.Since early April, attacks on crypto protocols or companies include CoW Swap, Hyperbridge, Bybit, Dango, Silo Finance, BSC TMM, Aethir, MONA, Zerion, and the recent Rhea Finance and Grinex exchanges.Among them, the DeFi protocol Rhea Finance reported that the attackers "exploited a vulnerability in Rhea's margin trading feature to execute a coordinated liquidity pool manipulation attack," affecting the Rhea Lend smart contract. According to blockchain security company CertiK, the stolen funds amount to approximately $7.6 million.

In response to the recent attack on the "ListaDAOLiquidStakingVault" contract, ListaDAO officially released a statement clarifying that the attacked contract was not deployed by the official team, but rather was a counterfeit contract created by an unverified third party using a similar name. All official contracts of ListaDAO were not affected by this incident.According to an in-depth analysis by the GoPlus security team, the attack occurred on April 16, 2026, and the root cause was a business logic flaw in the third-party contract. When a token transfer was made, it triggered the Dividend.setShares() function and altered the share accounting within the contract, which in turn affected the reward calculation in the claimReward() function. The attacker exploited this vulnerability to deplete the assets within the contract.GoPlus reminds that since this logical flaw exists in both segments of the contract code mentioned above, any development projects that fork or reuse this code face a high risk of being exploited. It is recommended that relevant developers promptly conduct code inspections and fixes, and implement continuous auditing mechanisms to ensure the security of smart contracts.

The trading platform Grinex, linked to the Russian crypto market, suspended withdrawals and trading on Thursday, citing a "massive cyber attack." The exchange stated that over 1 billion rubles (approximately 13.1 million USD) were stolen, but blockchain analysis firm Elliptic's tracking shows the actual loss is about 15 million USDT.The stolen funds have been exchanged for TRX and ETH through the Tron and Ethereum networks to evade freezing. It is reported that Grinex is seen as the successor to the sanctioned Garantex trading platform, which was targeted by U.S. authorities last year for facilitating the flow of hundreds of millions of dollars in illegal funds.

According to CertiK monitoring, the DeFi protocol Rhea Finance was attacked, with attackers extracting at least $7.6 million in total.The attackers misled the oracle and validation layer to complete the attack by creating fake token contracts and injecting liquidity into newly created funding pools.

CoW Swap tweeted that it has regained control of the cow.fi domain and has been operating normally on cow.finance for some time, and is currently gradually transitioning back to the original domain.The official statement indicated that the attacker deceived the DNS registrar with forged documents on April 14 to gain control of the cow.fi domain; the attacker deployed a highly realistic phishing website, implementing it in two phases: first, inducing users to sign malicious transactions through a wallet stealer, and then stealing mnemonic phrases and passwords through fake wallet pop-ups; this attack targeted the domain registrar and did not involve a breach of CoW Swap's own infrastructure or private keys. Affected users should use tools like Revoke.cash to revoke all authorizations and consider transferring funds to a new wallet.

According to Jinshi citing CCTV reports, U.S. President Trump stated in an interview broadcast on April 15 local time that he believes the war with Iran is "about to end," but also warned that the war could last until the midterm elections in November.Trump again threatened to attack Iranian civilian infrastructure, but at the same time expressed that he "hopes it won't escalate to that point."

According to on-chain analysis platform Arkham (@arkham), attackers exploiting the Bridged Polkadot vulnerability have transferred all stolen funds into Tornado Cash, involving an amount of approximately $269,000.

The crypto wallet Zerion disclosed that North Korean hackers are using AI for long-term social engineering attacks, stealing approximately $100,000 from the company's hot wallet.Zerion confirmed that user funds, applications, and infrastructure were not affected, and has proactively disabled the web application as a precaution. Zerion also stated that the attackers obtained some session and credential information from team members who were logged in, as well as the private keys of the company's hot wallet, and pointed out that AI is changing the way cyber threats operate.

One of the Bitcoin contributors, Jameson Loop, along with other cryptographers, has proposed an initiative that may force Bitcoin holders to migrate their tokens to new quantum-resistant addresses, or else their tokens will be permanently frozen by the network itself. In this scenario, holders technically still own these coins but will lose the ability to transfer them. This is known as Bitcoin Improvement Proposal BIP-361, which was updated on Tuesday in Bitcoin's official proposal repository, titled "Post-Quantum Migration and Old Signature Retirement."BIP-361 builds on the BIP-360 proposal introduced in February. BIP-360 introduced a soft fork (a type of network upgrade) aimed at enabling a new transaction type called "Pay to Merkle Root" (P2MR). This approach draws on Bitcoin's Taproot (P2TR) framework but removes key-based spending paths, thereby eliminating an element widely considered to pose risks in the quantum era.The BIP-361 proposal divides the migration into three phases. Phase A starts three years after activation and prohibits anyone from sending new bitcoins to old, quantum-vulnerable addresses. You can still spend from these addresses, but you cannot receive any coins. Phase B starts five years after activation and will render old signatures (ECDSA and Schnorr) completely ineffective, with the network rejecting any attempts to spend coins from quantum-vulnerable wallets.Essentially, your coins will be frozen. Finally, there is Phase C, which is a rescue plan still under research: holders of frozen wallets may potentially prove ownership through zero-knowledge proofs (a method of proving knowledge of a secret without revealing the secret itself). If successful, the coins frozen in Phase B can be recovered.

According to official news, the Blockaid system has detected a front-end attack targeting Cowswap, and the website COW[.]FI has been marked as a malicious site. If the user's wallet is connected, please revoke authorization immediately and avoid any interaction with this DApp.

According to market news, a report released by the blockchain security company Hacken shows that Web3 projects lost a total of $464.5 million this quarter due to hacker attacks and scams, with phishing and social engineering attacks accounting for $306 million, becoming the main source of losses.A hardware wallet scam that occurred in January caused a loss of $282 million, accounting for 81% of the total quarterly losses. Smart contract vulnerabilities led to losses of $86.2 million, while access control failures (including breaches of keys and cloud services) caused losses of $71.9 million. The report points out that the largest security incidents often occur in off-chain operations and infrastructure layers, which traditional audits find difficult to cover. The European regulatory frameworks MiCA and DORA are increasing requirements for security monitoring and incident response, and global regulatory agencies are also raising standards for real-time monitoring and emergency response.

On Monday local time, the San Francisco District Attorney's Office stated that Daniel Moreno-Gama, the suspect who attacked OpenAI founder Sam Altman last week, has been charged with attempted murder. The Department of Justice announced that the suspect also faces federal charges, including attempting to use explosives to damage property and illegal possession of an unregistered firearm.According to the indictment submitted to the San Francisco federal court on Monday, Daniel Moreno-Gama was arrested after the attack on Friday, and officers from the San Francisco Police Department found a document on him detailing his intentions. In the document, Daniel Moreno-Gama expressed his intent to kill Altman and warned that humanity would be "on the verge of extinction" due to artificial intelligence.

The blockchain interoperability protocol Hyperbridge disclosed details of the previous DOT attack incident, resulting in a loss of approximately $237,000. The root of the vulnerability lies in the HandlerV1 contract's VerifyProof() function, which lacks input validation and does not verify the leaf_index leafCount, allowing attackers to forge Merkle proofs.Using this, the attacker gained administrator privileges for the DOT token bridging contract on Ethereum, subsequently minting 1 billion bridged DOT (which is about 2800 times the legitimate circulation of approximately 356,000) and cashing out on decentralized exchanges. Hyperbridge stated that it is currently working with security partners to trace the funds, and cross-chain functionality will remain suspended until the investigation is completed.