Aave's L2 Depositors Demand Protection as KelpDAO Blame War Reaches Governance

Three days after the largest DeFi exploit of 2026, the question of who pays is tearing through Aave's governance forum.
KelpDAO lost $292 million on April 18 when an attacker forged a cross-chain message through a LayerZero bridge and drained 116,500 rsETH from the protocol's bridge adapter. The attacker deposited the stolen tokens into Aave V3 as collateral, borrowed roughly $236 million in real WETH against them, and walked out. Aave was left with bad debt it cannot recover through normal liquidation because the collateral backing it no longer exists.
Aave's service providers published a full incident report on April 20. It models two scenarios. If losses are spread evenly across all rsETH holders on every chain, each token takes a 15% hit and total bad debt lands around $123.7 million. If losses are isolated to Layer 2 networks only, L2 rsETH takes a 73.54% haircut and total bad debt climbs to $230.1 million. Ethereum mainnet is protected under that second scenario. L2 users on Arbitrum, Base, and Mantle carry almost everything.
Retail depositors are not staying quiet. A Base network user posted in the Aave governance forum that they deposited 1.57 ETH trusting Aave's risk assessment when rsETH was listed. A 73% haircut while mainnet stays whole, they wrote, destroys everything Aave's multichain promise was built on. An Arbitrum WETH depositor argued that concentrating losses on L2 users would permanently damage the case for using DeFi on Layer 2.
There is one development that partially changes the picture for Arbitrum users. The Arbitrum Security Council froze 30,766 ETH connected to the exploit on April 20, acting with direct law enforcement input on the attacker's identity. That recovered ETH is enough to cover most of Arbitrum's bad debt position. It cannot be moved without Arbitrum governance approval.
The bad debt total, which scenario Kelp chooses, and whether L2 users end up as the primary shock absorbers — none of it is resolved. Aave's DAO treasury holds $181 million. Recovery discussions are ongoing.
The full reporting on the exploit, Aave's liquidity crisis, and the ongoing governance fight is live at CryptoNewsLive.org.