KelpDAO Exploit Drains $292M, Leaves Aave With $196M Bad Debt

On Saturday at 17:35 UTC, an attacker decided that Kelp DAO's LayerZero cross-chain bridge looked a bit too trusting. The exploit involved sending a single carefully crafted message that the bridge accepted like a dog taking a treat from a stranger—which, in crypto terms, is essentially what happened. This clever trick released 116,500 rsETH worth roughly $292 million, representing a satisfying 18% of total circulating supply, straight into a wallet that had been pre-funded through Tornado Cash a leisurely ten hours earlier. Notably, no ETH ever bothered moving on the other side; the rsETH was essentially conjured from thin air, or more accurately, from a protocol with questionable judgment.

The attacker, clearly having done their homework, immediately deposited the questionably acquired rsETH into Aave V3 and V4 as collateral and proceeded to borrow actual wrapped ETH against it. To be clear, Aave's contracts worked exactly as designed—this wasn't a failure of the protocol itself but rather a failure of the assumption that rsETH behaving like ETH meant it was actually ETH. The vulnerability, in classic DeFi fashion, stemmed from rsETH being whitelisted as ETH-correlated collateral, which in retrospect looks about as reliable as judging a book's quality by its cover.

The fallout arrived with all the subtlety of a crypto market correction at 3 AM. Aave's token decided to shed 30%, while total value locked on the protocol dropped 25% from $26.4 billion to approximately $20 billion in a single day—because apparently, everything in crypto happens in a single day. ETH depositors attempting to withdraw found liquidity had apparently taken a vacation, prompting many to borrow stablecoins against their deposits just to make an exit. This, for those keeping score, is the textbook definition of a bank run dressed up in DeFi terminology. SparkLend, Fluid, Upshift, and Lido all froze or paused rsETH exposure like nervous parents, and rsETH holders on over 20 chains now possess tokens of uncertain backing. Aave noted Sunday that rsETH on Ethereum mainnet remains "fully backed" but frozen "out of an abundance of caution"—which, depending on your interpretation, either sounds responsible or like they're keeping the evidence in a safe place.

This whole debacle has forced the DeFi ecosystem to sit down and have a long, uncomfortable conversation with itself about risk calculus. There has been $600 million lost through DeFi exploits in just the past three weeks, and the pace suggests we're not just breaking records—we're setting new ones with each incident. Every lending protocol must now reassess its collateral whitelisting standards and security assumptions, which likely means a lot of late-night meetings and aggressive coffee consumption. Rebuilding user trust will take time—if it's even possible—particularly as users weigh whether average yield justifies exposure to attacks that seem to be getting more sophisticated by the week.