Key Takeaways
- On April 18, attackers drained 116,500 rsETH tokens valued at $292 million from Kelp DAO through a LayerZero bridge vulnerability
- The stolen assets were deposited on Aave V3 as collateral to borrow wrapped Ether tokens
- Aave’s risk assessment team has identified two potential bad debt outcomes: $123.7 million or $230.1 million
- A dispute has erupted between Kelp DAO and LayerZero regarding the 1-of-1 DVN security setup
- Aave maintains $181 million in treasury reserves that could serve as emergency backup funds
In what stands as 2026’s most devastating DeFi security breach, Kelp DAO experienced a catastrophic exploit on April 18 when malicious actors successfully extracted 116,500 rsETH tokens—approximately $292 million—through a compromised LayerZero cross-chain bridge.
According to LayerZero’s analysis, the perpetrators—suspected to be North Korea’s notorious Lazarus Group—infiltrated a roster of RPC nodes operating within its decentralized verified network. The sophisticated attack involved poisoning two nodes while simultaneously launching a DDoS assault on a third, effectively deceiving the system into validating a fraudulent cross-chain transaction that generated 116,500 rsETH tokens.
Kelp DAO responded swiftly once the security breach came to light. The protocol immediately froze all affected smart contracts and placed restrictions on wallet addresses connected to the perpetrator, a defensive measure that successfully blocked the potential loss of an additional 40,000 rsETH valued at approximately $95 million.
The compromised tokens were subsequently transferred into Aave V3. The hacker deposited 89,567 rsETH—worth roughly $221 million—as collateral and withdrew 82,650 wrapped Ether plus 821 wstETH, creating positions with dangerously low health ratios and exposing Aave to significant bad debt risk.
Since the exploit occurred, approximately $10 billion in total value has exited Aave’s platforms.
The Blame Game Begins
LayerZero released an analysis sharply criticizing Kelp DAO’s implementation of a 1-of-1 DVN configuration, characterizing it as an inherent vulnerability. The company stated that Kelp had received recommendations to implement a more diversified DVN architecture but declined to act on that guidance.
Kelp DAO fired back, arguing that the 1-of-1 configuration represents the standard setup explicitly outlined in LayerZero’s official documentation. The protocol maintained that this architecture was “expressly validated as suitable” by LayerZero during its expansion into layer 2 blockchain networks.
Both organizations claim to be collaborating on resolution strategies.
Aave Weighs Two Loss Scenarios
LlamaRisk, Aave’s risk management service provider, has constructed two distinct scenarios for potential bad debt outcomes, contingent upon Kelp DAO’s forthcoming decisions.
The first pathway distributes losses proportionally among all rsETH token holders across Ethereum mainnet and layer 2 networks. This approach would trigger a 15% depegging of rsETH and generate approximately $123.7 million in bad debt for Aave. Ethereum’s primary market would shoulder the largest nominal impact at $91.8 million, although its substantial reserves would limit the actual shortfall to 1.54%.
Mantle would experience the most severe percentage impact at 9.54% in this scenario.
The alternative pathway confines all losses exclusively to layer 2 networks, preserving full backing for Ethereum mainnet rsETH. This strategy would impose a 73.54% reduction on layer 2 collateral values and escalate total bad debt to $230.1 million distributed across Mantle, Arbitrum, and Base markets.
In the first scenario, Aave’s Umbrella security module contains $54 million available as emergency protection. This safeguard would not be applicable in the second scenario.
Aave emphasized that the ultimate resolution hinges on Kelp DAO’s adjustments to its rsETH accounting methodology and oracle exchange rate mechanisms. The Aave DAO currently controls $181 million in treasury resources and has secured pledges from ecosystem stakeholders to provide support should bad debt materialize.
As of Monday, Kelp DAO confirmed it continues evaluating the financial ramifications and has yet to disclose a loss distribution framework or recovery strategy.
