Aave could face up to $230 million in losses after Kelp DAO bridge exploit triggers DeFi chaos
Aave published a report outlining two possible outcomes: around $123 million in losses if damage is shared across all rsETH, or up to $230 million if confined to Layer 2s, with the final impact depending on how Kelp DAO allocates the shortfall.
By Margaux Nijkerk|Edited by Nikhilesh De Apr 20, 2026, 9:03 p.m. Make preferred on
What to know:
- Aave’s incident report found that the rsETH exploit created unbacked collateral used to borrow roughly $190 million, leaving the protocol exposed to potential bad debt despite its systems functioning as designed.
- The report outlines two possible outcomes, around $123 million in losses if damage is shared across all rsETH, or up to $230 million if confined to Layer 2s, with the final impact depending on how Kelp DAO allocates the shortfall.
The Kelp DAO and LayerZero bridge exploit that occurred over the weekend has left lending protocol Aave facing potential losses of up to $230 million, depending on how the situation is resolved.
The incident, according to a report from Aave Labs and service provider LlamaRisk published on the Aave governance forum, centers on rsETH, a liquid restaking token issued by KelpDAO. To move rsETH between blockchains, the protocol relies on a bridge mechanism that locks tokens on one chain while issuing corresponding copies on another.
An attacker exploited that setup by forging a transfer message that appeared valid. The system approved the transfer even though the tokens were never taken out of the sending chain, meaning new tokens were effectively created without backing, releasing 116,500 rsETH from the Ethereum-side bridge.
Rather than selling the assets on the open market, the attacker deposited 89,567 rsETH into Aave as collateral and borrowed roughly $190 million in ETH and related assets across Ethereum and Arbitrum, according to the report. This left Aave exposed to collateral whose backing may be significantly impaired.
Aave Labs said it moved quickly to contain the risk. Within hours, the protocol froze rsETH markets across its deployments, set loan-to-value ratios to zero, and halted new borrowing against the asset.
The outcome now depends largely on how Kelp handles the shortfall. If losses are spread across all rsETH holders, the token would face an estimated 15% depegging (meaning the value of the staked tokens would not match the value of actual ETH), resulting in about $124 million in bad debt for Aave. If losses are instead isolated to Layer 2 networks, the impact would be far more severe, with bad debt rising to roughly $230 million and concentrated on networks such as Arbitrum and Mantle.
The exploit stemmed from weaknesses in how Kelp verified cross-chain messages using LayerZero. By manipulating this process, the attacker was able to make certain assets appear fully backed when they were not, allowing them to extract value from the system. LayerZero itself was not directly hacked, but its messaging layer exposed flawed assumptions in how Kelp validated cross-chain data.
The incident raised concerns that some positions on Aave were backed by collateral that was mispriced or no longer fully backed, increasing the risk of undercollateralized loans.
In response, users moved to reduce exposure. Around $6 billion in total value locked was withdrawn from Aave following the incident, reflecting a broad pullback as participants reacted to the uncertainty.
The episode highlighted its indirect exposure to external systems. The impact was felt through increased collateral risk, pressure on lending positions, and a sharp decline in deposits as users reassessed the safety of interconnected DeFi infrastructure.
The report said its DAO treasury holds approximately $181 million in assets and that discussions are underway with ecosystem participants to address potential losses. Kelp has not yet outlined how it plans to allocate losses, leaving Aave’s ultimate exposure uncertain as the situation continues to evolve.
More For You
North Korea’s crypto heist playbook is expanding and DeFi keeps getting hit
By Margaux Nijkerk|Edited by Nikhilesh De43 minutes ago
More than $500 million was siphoned across the Drift and Kelp exploits in just over two weeks. What once looked like isolated breaches now resembles a sustained campaign, likely driven by the financial needs of a sanctioned state.
What to know:
- The Kelp exploit shows North Korea’s Lazarus Group is evolving beyond isolated hacks, rapidly shifting tactics from social engineering to exploiting structural weaknesses in crypto infrastructure, suggesting a sustained, state-driven campaign rather than one-off incidents.
- The attack did not break cryptography but exploited known design choices and weak configurations, exposing...
North Korea’s crypto heist playbook is expanding and DeFi keeps getting hit
43 minutes ago
Bitcoin bounces above $76,000 as DeFi suffers $14 billion exodus after KelpDAO hack
1 hour ago
Five times President Trump made a statement that moved bitcoin, and why it might happen again this week
5 hours ago
Bitcoin faces near-term pressure as liquidity tightens, Hilbert Group CIO says
5 hours ago
UK gas-investment firm weighs bitcoin mining, draws criticism
6 hours ago
Blockchain sleuth accuses RaveDAO of knowing who manipulated the price of its token
6 hours agoTop Stories
Coinbase, Bybit said to be working together on tokenization, custody and distribution of U.S. stocks
8 hours ago
Kelp DAO claims LayerZero’s 'default' settings are what actually caused the massive $290 million disaster
7 hours ago
Strategy buys 34,164 bitcoin for $2.54 billion, third-largest purchase on record
9 hours ago
Here's how bitcoin's $7.9 billion April options expiry impact prices
12 hours ago
LayerZero blames Kelp's setup for $290 million exploit, attributes it to North Korea's Lazarus
16 hours ago