Yet another hack that could've been prevented by ICP | Internet Computer

Added: 2026-05-06

[00:00:00]Welcome back to Blockchain Pill. My name is Alex and welcome back to a new episode. There has been another massive hack in crypto DeFi and this time Aave, the leading protocol when it comes to borrowing and lending in DeFi and liquidity, is seeing massive outflows, 6 billion or 8 billion at the time of recording this video. And once again, the attack vector was a bridge. So, let's have a look at what happened, why DeFi is in trouble if it keeps using the same old solutions and how ICP can actually solve DeFi so that it actually has a future. We have this article from CoinDesk, Aave sees 6 billion deposit drop as Kelp hack exposes structural risk for DeFi lender. The Aave token also fell 16% and deposits fled the protocol after attackers used drained rETH, which is a wrapped version of ETH that the attackers used as collateral to borrow wrapped ether. And this is the same problem every single time. And just in April, close to 600 million dollars have been stolen in hacks and most of them being bridge hacks and I've done episodes like this before. ICP has already solved this problem with ckETH and ckBTC, which are twins to BTC and ETH and they don't rely on bridges.

[00:01:14]There is not a trusted intermediary that can be hacked. On Saturday, attackers tricked Kelp's cross-chain bridge into releasing 116,500 rETH, about 292 million dollars worth, to an address that they controlled. They then deposited that stolen rETH into Aave V3 as collateral and borrowed wrapped ether against it. Now, people are getting their money off of Aave because they don't want their money to be lent against this fake rETH that the hackers have used. And let's have a look at how this hack happened. LayerZero may have enabled the largest DeFi exploit of 2026, says Coin Bureau. The 290 million rETH drain wasn't a surprise, it was a LayerZero design choice coming due.

[00:02:00]LayerZero is the messaging layer that moves value between blockchains. When a token is bridged, LayerZero is what tells the destination chain, yes, this is locked on the other side, release the wrapped version. LayerZero secures these messages through something it calls a decentralized verifier network or DVN.

[00:02:18]In theory, a DVN is a group of independent nodes that must all attest a cross-chain message is real before it executes. In practice, LayerZero made a design choice, every app gets to pick its own DVN setup and LayerZero enforces no minimum. An app can require five of seven independent verifiers or two of three or the worst one, one of one. And Kelp DAO, the bridge used and exploited, picked one of one and that one was LayerZero's own node. The attackers then did what competent attackers do with a single point of failure, they poisoned the RPC nodes that LayerZero Labs DVN uses to read blockchain state, fed it a fake transaction, DDoS'd the clean ones so the DVN had no choice but to trust the poisoned feed. The DVN signed the message locked in and 116,500 rETH walked out in one transaction. In order for this 116,500 rETH to come out on the other side, you would have had to lock the same amount of ETH on the other side. That didn't happen, this 116,500 rETH were fake. They then went to Aave and borrowed real ETH against it and then, you know, they took the funds away. And what followed after the fake ETH was used as collateral to borrow against. Now, everybody realized that and everybody's trying to get their money off of Aave and we've already seen 6 billion or 8 billion being taken out.

[00:03:42]I don't want to go into, you know, how this affects Aave right now because Aave is not at fault. What is at fault are the bridges or this particular bridge that Aave has used as a dependency. Kelp was not able to verify that the ETH that they bridged was real and it wasn't and this caused it. So, I want to go to the solution that ICP has been working on and it's been live for the past year or a couple of years already and that solution is chain fusion. Mainly ckBTC or ckETH and we're going to explore what they are and how they work and how they are different than a bridge version of ETH or BTC. Chain key tokens are a family of twin tokens one-to-one backed by the original token on the original chain and fully automated via canisters, which are the smart contracts on ICP.

[00:04:29]ckBTC is the twin of BTC and ckETH is the twin of ETH. In practical terms, they let you use Bitcoin and Ethereum on the Internet Computer with faster transactions finalized within seconds and significantly cheaper fees than on native networks. Tokens are minted when a user transfers Bitcoin to a specific Bitcoin address under the ckBTC minter's control. That Bitcoin address uniquely identifies the owner of the sent Bitcoin and the backing BTC is held entirely on chain by smart contracts. For ckETH, same story. To mint ETH, a user deposits ETH into the ckETH contract on Ethereum specifying their ICP principal or wallet address. The ckETH minter canister monitors the Ethereum network for those deposits and upon detecting a valid deposit, mints the corresponding amount of ckETH to the user's account on ICP.

[00:05:18]This is where ck tokens stand apart.

[00:05:20]Traditional bridges like wrapped BTC or wrapped ETH rely on a custodian or a multi-sig setup. A centralized entity or federation holds the real asset and issues the wrapped version. This creates a trust risk, the custodian can be hacked, rug pulled or go insolvent as seen with several bridge exploits. And we've seen two major bridge exploits this month alone in April. And as I mentioned earlier in the video, close to 600 million dollars lost in hacks just in April. ck tokens are safer than traditional wrapped tokens because they are fully automated. They don't rely on any central entity or multi-sig setup and the canisters running the code are under the NNS control. The NNS is what governs the Internet Computer Protocol.

[00:06:05]Every single update of the ICP blockchain needs to go through the NNS DAO and the ICP token holders vote whether or not an update happens. The key technology enabling this is threshold cryptography. ICP's direct integration with Bitcoin uses a novel protocol for chain key signatures based on threshold signatures. An ECDSA or Schnorr private key only exists in a secret shared form during its lifetime.

[00:06:29]Whether it's being generated, shared within a subnet or shared from one subnet to another, this means that no single node or party ever holds the full private key to the backing assets. In traditional blockchain architectures, token wrapping involves an off-chain trusted intermediary and a token ledger smart contract. ck tokens eliminate that off-chain intermediary entirely. And the core philosophical difference is that ck tokens are not bridged. They use cryptographic integration directly with the source chain removing the trusted third party that is the single biggest security risk in traditional cross-chain asset wrapping. So, as we saw, bridges are a big, big problem in crypto, especially with the advance of AI. You can now have an AI, you train it to be able to hack protocols, you just show it the code, it does the hacking for you.

[00:07:19]You can now do the work of a big team of hackers in hours or minutes. So, we're going to see more and more hacks if something doesn't change. And in my opinion, Aave taking a big hit is going to affect DeFi if nothing really changes because it's not just whales trying to get some APIs or APRs on their assets, it's exchanges as well. So, whenever you stake your tokens on Binance or Coinbase or MEXC or on any other centralized exchange, they stake your money on platforms like Aave to be able to give you the API. So, it's going to be a big problem. I don't know if this is going to be contained or not, but it's definitely something happening right now that we should all pay attention to. And most importantly, people should be looking for solutions. How can we avoid getting bridges hacked? And maybe the solution is to not use bridges anymore and actually use the solutions that bypass bridges and bypass the security risks that bridges come with. And we have the solutions, Dfinity has built them over the years. One or two years have passed since Dfinity actually built this solution, ckETH and ckBTC. So, definitely worth looking into it. I will make a video breaking down ckETH and ckBTC into more details so that it's easier to understand. I just wanted to put this out. So, unfortunately, that's DeFi and all hacks happen, but it gets you wondering, is it really worth getting into DeFi just to get a 5% APR or 10% or 15% APR if you risk losing 100% of your funds? I don't think DeFi is going to get mass adoption until you get a security guarantee that your money are actually safe. Otherwise, it's not going to make any sense, especially with the rise of AI. I'm sorry for everybody who was involved in this incident and who lost money on that. But let's go back to ICP and see what's been happening inside our ecosystem. And I have an update for Mission 70. The 40% reduction to Gen 1 node providers has passed. I guess it actually went into effect as well. We have a new AI agent, ICP skill, and that is ckBTC. And we just talked about ckBTC, how important it is and it allows you to use Bitcoin in DeFi without having a wrapped version of Bitcoin. And there is a plethora of ICP skills for AI agents that allow you to build more securely and better and faster on ICP. You can check them out at skills.internetcomputer.org.

[00:09:40]We have an update from Caffeine as well.

[00:09:42]They reached a new milestone. As many of you who watch this channel know, Caffeine AI V3 was released a week ago or a couple of weeks ago and now we have the stats, a new milestone, 200 plus apps published in the Caffeine app market by the community, over 50,000 remixes, if you build an app, you can submit it to the Caffeine marketplace.

[00:10:02]Other people can take the base of the app that you build and make it theirs and build on top of it. This far, 50,000 plus remixes. That's a good number, and those are the categories of apps that people have remixed. 67 are productivity apps, 47 are education apps, 28 games, 24 social network apps, nine travel apps, seven apps for shopping, and 18 other apps. I think somebody is curating the apps that actually get into the Caffeine marketplace. That would make sense. And in the future, you are going to be able to submit apps, and then whenever people are remixing your app, you're going to be able to make some money. And this is a marketplace. You can check it out on the Caffeine AI website. You can basically take any app from here, which has, you know, the basic functionality of the app, and then you can build on top of it. So, for example, you can take this Tetris or whatever this one is, and you can, you know, make it like magic Tetris or, you know, add a a bunch of cool fun stuff on top of it. And people are really killing it with Caffeine AI V3. Somebody actually built a Rocket League clone with just a few prompts. This was retweeted by Dominic Williams, the founder at Dfinity. And he says, "Created on the Internet Computer, the world's only sovereign tamper-proof cloud for AI agent. Chat prompts only.

[00:11:20]This is revolutionary and amazing." It really does indeed look incredible. And of course, yeah, it's not as polished as the real Rocket League, but with just a few prompts to be able to build something like this hosted on ICP is just incredible. And let's check the ICP cycle burn rate. We're currently sitting at $4,500 per day. I would expect as more and more people discover Caffeine AI, more and more people want to build secure apps that cannot be hacked, these numbers are going to go into the high thousands. And that coupled with Mission 70 is finally going to make ICP deflationary. I'm just looking forward to see Mission 70 finally out. And let me know what you think about DeFi. Would you put your money into DeFi just to earn, you know, 5% or 10-15% if the risk is, you know, losing 100% of your assets? Let me know in the comment section below. And this is the video for today. Thanks for watching, and I'll see you guys in the next video.