🚨 Kelp DAO Exploited for $292M — Aave Caught in the Crossfire
On April 18 at around 17:35 UTC, the rsETH bridge contract of Kelp DAO—currently the second-largest liquid restaking protocol after ether.fi and built on LayerZero—was exploited, resulting in a loss of 116,500 rsETH (~$292M).
The attacker initially withdrew 1 $ETH from Tornado Cash for gas, then gained control of the bridge—likely due to a compromised private key (based on early analysis). Using that access, they forged cross-chain transfer messages via LayerZero and drained the full 116,500 rsETH to their own address.
A key reason the exploit succeeded so easily: the bridge relied on a single validator setup (DVN 1/1) with no cross-verification.
The attacker later attempted to withdraw an additional 40,000 rsETH (~$100M) but failed after Kelp paused all contracts in time.
⸻
💰 Post-Exploit Strategy: Borrowing Against Illiquid Collateral
Due to rsETH’s low liquidity, the attacker couldn’t dump directly. Instead, they used it as collateral across lending protocols to borrow wETH.
As of April 18, 19:30 UTC, total debt created exceeds $236M:
* Aave V3: $196M
* Compound V3: $39.4M
* Euler: $840K
⸻
⚠️ Risk Containment & Market Impact
Aave has frozen rsETH markets on both V3 and V4, confirming its contracts were not compromised. The team also stated they will cover any potential bad debt if necessary.
According to estimates from Spark Protocol (a direct competitor to Aave), if rsETH drops 19%—roughly equal to the stolen share of total supply—Aave could face over $100M in bad debt due to recursive leverage loops.
📉 Following the incident, both $KERNEL and $AAVE have dropped more than 10%.