Yesterday, the KelpDAO cross-chain bridge was hacked, and many people said AAVE was stolen, but that's not accurate; $AAVE was affected.

Here's what happened: the attacker found a vulnerability in the KelpDAO bridge contract (using LayerZero), forged a cross-chain message, tricking the contract into thinking it was a legitimate transfer, then minted 116.5k rsETH out of thin air, nearly $300 million, accounting for 18% of the circulating rsETH.
Then he deposited these artificially created rsETH into AAVE V3 and V4 as collateral, borrowing 83k real WETH. AAVE's oracles couldn't distinguish whether these rsETH were real or fake because they exist on the chain, but the underlying is empty.
As a result, these loans will never be liquidated because the collateral itself is just air. AAVE took on nearly $200 million in bad debt, and the token price dropped 10%.
AAVE's own code wasn't broken, but this incident prompts us to think more deeply: is DeFi's composability an advantage or a hidden risk? No matter how well you write your contracts, as long as the collateral assets have issues, you're doomed. Security boundaries are never solely determined by you; they depend on the weakest link in the trust chain.
From Ronin to Wormhole to KelpDAO now, cross-chain bridges have always been the biggest security black hole in DeFi.
Another thing: previously, Anthropic publicly announced they trained a model called Claude Mythos but decided not to release it publicly. The reason is that this model can autonomously discover and exploit critical software vulnerabilities, and after assessment, they believe the risk of misuse is too high.
Thinking about these two things together: current contract vulnerabilities are still found by humans or with current AI, but if more powerful AI models emerge in the future, the speed and scale of finding vulnerabilities will be on a completely different level. DeFi protocols lock hundreds of billions of dollars, and with all smart contract code open source, it becomes a pure ATM for AI hackers.