Apyx is the first dividend-backed stablecoin protocol. Check it out here!

GM friends.

Here’s what I’ll cover today:

🔎What we know about the rsETH exploit

📊 Crypto chart of the week

🗞️ The latest DeFi news

🔎 What we know about the rsETH exploit

Kelp DAO suffered one of the largest DeFi exploits in a long time last week.

116,500 rsETH (worth ~$290M) were minted out of thin air by a hacker who exploited KelpDAO’s rsETH bridge powered by LayerZero via a forged cross-chain message.

While this alone is a terrible event, the fact that rsETH was deeply integrated into DeFi made things much worse.

For example, it was supported as collateral on Aave.

Once the hacker minted the rsETH tokens, he immediately used them to borrow ETH against them on Aave, leaving Aave with over one hundred million dollars in bad debt.

And Aave is not the only protocol affected by this exploit.

Compound, Lido’s EarnETH vault, some Morpho lenders, Hyperithm's mHyperETH product, Superform's SuperWETH vault, and many other protocols were also impacted as they had some exposure to rsETH in one way or another.

Whose fault is it here?

This situation is a bit more nuanced than in other exploits like Drift.

Because the hacker exploited Kelp DAO’s rsETH bridge, which was powered by LayerZero, rather than Kelp DAO’s own smart contracts.

And no one seems to want to take responsibility. LayerZero is blaming Kelp DAO, and Kelp DAO says that it is the fault of LayerZero.

Now, if we look at this situation objectively, here are some facts:

• For this attack, the hacker compromised two of the RPC providers that LayerZero DVN was using in order to be able to mint rsETH

• Kelp DAO was running only a 1/1 DVN (multisig) setup for its rsETH bridge (meaning that there was a single verifier that had to approve a fake transaction as real for the exploit to succeed)

• LayerZero blames Kelp DAO for using a 1/1 DVN configuration, but at the same time, LayerZero is the one who allowed dApps to use a 1/1 DVN in the first place

• 47% of the dApps leveraging LayerZero’s bridge infrastructure used a 1/1 DVN before the hack, so Kelp DAO was not the only one

So, without getting into too many technical details, to me it seems obvious that LayerZero deserves most of the blame and should recognize their mistakes.

Indeed, the fault of Kelp was that it used a single verifier ( 1/1 DVN) for its rsETH bridge. Using multiple verifiers could have prevented this exploit.

But this hack wouldn’t have been possible if the RPC nodes hosted by LayerZero hadn’t been compromised in the first place.

What’s next?

Fortunately, almost a third of the funds stolen by the hacker had already been recovered by Arbitrum, which announced it had frozen the hacker's funds.

This doesn’t look great from a decentralization perspective.

But I think it is better to do this and protect users, given that it is possible, than pretend that L2s are fully decentralized when in reality they aren’t.

Meanwhile, Aave is considering multiple solutions to cover the bad debt it incurred.

LlamaRisk, Aave’s risk manager, outlined two potential scenarios:

• Uniform socialization of losses across all chains where Aave is deployed, with ETH lenders on Ethereum mainnet being left with a 1.54% loss

• Isolate losses to the L2s where rsETH was used as collateral by the hacker to borrow WTH, with ETH lenders on Mantle being left with a 71% loss

These numbers were mentioned before Arbitrum froze 30,766 ETH held by the hacker, so the loss will likely be smaller.

There’s a chance that Aave uses its treasury to cover a part of the bad debt. Mantle also confirmed it’s working on a recovery plan.

My hope is that the final resolution will include no losses or very small losses for Aave users. Aave has long been perceived as the best DeFi app for low-risk yield, and this incident, unfortunately, significantly damaged its reputation.

Lastly, I’ve seen many people say that DeFi is dead because of this exploit that affected so many tier-1 protocols.

I don’t agree with this, as this industry has faced many setbacks over the past years and has always managed to make a comeback in one way or another.

DeFi will be fine, but there’s a lot of work to be done to make it secure first.

Together with Apyx

The first dividend-backed stablecoin protocol

Most stablecoins and DeFi yields today work against your crypto portfolio.

Apyx flips that model entirely.

Instead of relying on opaque trading strategies, Apyx sources yield from Digital Asset Treasury (DAT) preferred equity, such as Strategy’s STRC and Strive’s SATA.

In this way, it is directly contributing to creating additional buy pressure for BTC, while also generating a high yield.

Here’s how it works:

• Apyx allocates its stablecoin backing collateral to three things: DAT-issued preferred equity (STRC & SATA), cash, and T-bills

• Via STRC, Strategy is raising money in order to buy BTC → so the more money that Apyx allocates to STRC, the more BTC Saylor’s Strategy accumulates

• By buying STRC, Apyx gets a high dividend yield of 11.5% annualized at the time of writing, which goes to its apyUSD yield-bearing asset holders

apyUSD currently has an APY of 11.83%, and it is targeting a 13% APY. It can also be used on various DeFi apps, such as Pendle and Morpho, to earn a double-digit yield.

Apyx has two core assets: apxUSD, a non-yield-bearing stable dollar, and apyUSD, a yield-bearing asset. The yield generated by the underlying collateral accrues entirely to apyUSD holders.

Both earn points toward a future APYX airdrop, the protocol’s governance and value-accrual token tied to reserve growth from preferred equity dividends and onchain digital credit activity.

And the more that Apyx grows, the more buying pressure it puts on BTC.

Its S1 points program ends in 4 weeks, with 5% of Apyx’s future token supply allocated to it. Season 2 will happen right after that.

Check out Apyx here!

Chart of the week

Crypto cards are gaining massive traction

Crypto meme of the week😂

The latest developments in DeFi

Polymarket announced the launch of its own perps DEX

Jupiter Lend enabled borrowing against tokenized stocks

Pendle airdropped ~$7.5M in CHIP tokens to sPENDLE holders

Alchemix launched Alchemix V3 - a new DeFi lending primitive

Base announced Base Azul - a network upgrade that will enable it to process up to 5,000 TPS and increase decentralization

Drift announced a hack recovery pool with up to $147.5M from Tether and other partners. The package includes a revenue-linked credit facility

Catalysis, a DeFi insurance vault protocol powered by EigenCloud, went live

USDai, a GPU-backed stablecoin protocol, launched its token CHIP

Kelp DAO’s rsETH was unfortunately exploited for $290M

Arbitrum froze 30,766 ETH held by the rsETH exploiter

Optimism announced stake-based transaction ordering - a feature that enables users to get their transactions processed faster by staking OP

Hit One, a gamified dApp offering 1000x leverage, went live on MegaETH

Brix is launching wiTRY, the first Turkish Lira stablecoin with 37% APY, today

Extended implemented daily withdrawal caps to protect itself against exploits

Avici released Avici Grow and Smart Credit, enabling users of its on-chain neobank to take loans and earn yield via Fluid

Drift hack victims sued Circle for refusing to freeze stolen USDC funds

That’s all for this week!

Until next time,

The DeFi Investor

Want to sponsor this newsletter?

Please send me a DM on Twitter (X). I have a sponsorship deck that I can send you.