đš Kelp DAO Exploited for $292M â Aave Caught in the Crossfire
On April 18 at around 17:35 UTC, the rsETH bridge contract of Kelp DAOâcurrently the second-largest liquid restaking protocol after ether.fi and built on LayerZeroâwas exploited, resulting in a loss of 116,500 rsETH (~$292M).
The attacker initially withdrew 1 $ETH from Tornado Cash for gas, then gained control of the bridgeâlikely due to a compromised private key (based on early analysis). Using that access, they forged cross-chain transfer messages via LayerZero and drained the full 116,500 rsETH to their own address.
A key reason the exploit succeeded so easily: the bridge relied on a single validator setup (DVN 1/1) with no cross-verification.
The attacker later attempted to withdraw an additional 40,000 rsETH (~$100M) but failed after Kelp paused all contracts in time.
âž»
đ° Post-Exploit Strategy: Borrowing Against Illiquid Collateral
Due to rsETHâs low liquidity, the attacker couldnât dump directly. Instead, they used it as collateral across lending protocols to borrow wETH.
As of April 18, 19:30 UTC, total debt created exceeds $236M:
* Aave V3: $196M
* Compound V3: $39.4M
* Euler: $840K
âž»
â ïž Risk Containment & Market Impact
Aave has frozen rsETH markets on both V3 and V4, confirming its contracts were not compromised. The team also stated they will cover any potential bad debt if necessary.
According to estimates from Spark Protocol (a direct competitor to Aave), if rsETH drops 19%âroughly equal to the stolen share of total supplyâAave could face over $100M in bad debt due to recursive leverage loops.
đ Following the incident, both $KERNEL and $AAVE have dropped more than 10%.