TLDR
- On April 18, attackers exploited Kelp DAO’s LayerZero bridge infrastructure and made off with 116,500 rsETH tokens valued at $292 million
- The stolen assets were deposited on Aave V3 as collateral to extract wrapped Ether loans
- Aave faces potential bad debt ranging from $123.7 million to $230.1 million depending on recovery approach
- LayerZero and Kelp DAO are locked in dispute over responsibility for the 1-of-1 DVN configuration vulnerability
- Aave maintains $181 million in treasury reserves to potentially cover losses
On April 18, Kelp DAO experienced what has become 2026’s most devastating DeFi security breach to date. Attackers successfully extracted 116,500 rsETH tokens from the protocol’s LayerZero-based cross-chain bridge infrastructure, draining approximately $292 million in assets.
According to LayerZero’s investigation, the perpetrators—suspected to be the notorious Lazarus Group linked to North Korea—compromised a roster of RPC nodes operating within its decentralized verified network. The attack strategy involved poisoning two nodes while simultaneously launching a DDoS assault against a third, effectively manipulating the system into validating a fraudulent cross-chain transaction that authorized the minting of 116,500 rsETH.
Kelp DAO responded swiftly once the security breach came to light. The protocol immediately froze all affected smart contracts and placed blacklist restrictions on wallet addresses associated with the attacker. According to Kelp’s assessment, these emergency measures successfully prevented the theft of an additional 40,000 rsETH, protecting approximately $95 million in user funds.
The compromised tokens were subsequently transferred to Aave V3. The attacker deposited 89,567 rsETH—representing roughly $221 million—as collateral, then extracted 82,650 wrapped Ether along with 821 wstETH. These positions now operate at critically low health factors, creating significant bad debt exposure for Aave.
Since the exploit occurred, Aave has experienced withdrawals totaling nearly $10 billion.
Who Is Responsible?
LayerZero released an investigative report placing blame on Kelp DAO’s 1-of-1 DVN configuration, characterizing it as an architectural vulnerability that established a single point of failure. According to LayerZero, Kelp had received recommendations to implement a more diversified DVN structure but declined to do so.
Kelp DAO contested this assessment, emphasizing that the 1-of-1 configuration represents the standard default setup explicitly outlined in LayerZero’s official technical documentation. Kelp maintains that when the protocol expanded its operations to layer 2 networks, LayerZero explicitly validated this configuration as suitable.
Both organizations have stated their commitment to collaborative resolution efforts.
Two Paths for Aave’s Losses
LlamaRisk, Aave’s risk management service provider, has constructed two distinct scenarios projecting how bad debt might materialize based on Kelp DAO’s strategic decisions.
The first scenario distributes losses uniformly across all rsETH token holders on Ethereum mainnet and associated layer 2 networks. This approach would trigger a 15% depegging of rsETH and generate approximately $123.7 million in bad debt for Aave. Ethereum’s primary market would shoulder the heaviest absolute impact at $91.8 million, though its substantial reserves would limit the proportional shortfall to 1.54%.
Mantle network would experience the most severe proportional damage at 9.54% under this distribution model.
The alternative scenario concentrates all losses exclusively on layer 2 networks while maintaining full backing for Ethereum mainnet rsETH. This approach would impose a 73.54% haircut on layer 2 collateral positions and escalate total bad debt to $230.1 million across markets including Mantle, Arbitrum, and Base.
In the first scenario, Aave’s Umbrella security module maintains $54 million in reserves available as a protective buffer. This mechanism would not be applicable under the second scenario’s structure.
Aave has clarified that the ultimate outcome hinges on Kelp DAO’s methodology for revising its rsETH accounting framework and oracle exchange rate calculations. The Aave DAO currently controls $181 million in treasury assets and has secured pledges from ecosystem stakeholders to provide protocol support should bad debt crystallize.
As of Monday, Kelp DAO indicated it continues evaluating the financial ramifications and has not yet disclosed a loss distribution strategy or recovery framework.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
