TLDR
- Hackers stole 116,500 rsETH tokens worth $292 million from Kelp DAO’s LayerZero bridge on April 18
- The attacker used stolen tokens as collateral on Aave V3 to borrow wrapped Ether
- Aave’s risk manager outlined two bad debt scenarios: $123.7 million or $230.1 million
- Kelp DAO and LayerZero are trading blame over a 1-of-1 DVN security configuration
- Aave has $181 million in its treasury as a potential backstop
Kelp DAO suffered the largest DeFi exploit of 2026 so far on April 18, when hackers stole 116,500 rsETH tokens valued at around $292 million from its LayerZero-powered cross-chain bridge.
Update on rsETH incident:@LlamaRisk has published a report outlining the rsETH incident, the immediate actions taken, its impact on Aave, and potential paths forward.
All service providers have been working to assess the two potential bad debt scenarios on the Aave protocol.…
— Aave (@aave) April 20, 2026
LayerZero said the attacker, believed to be North Korea’s Lazarus Group, gained access to a list of RPC nodes used by its decentralized verified network. Two nodes were poisoned and a third was knocked offline with a DDoS attack, tricking the system into approving a fake cross-chain message that minted 116,500 rsETH.
Kelp DAO moved quickly after the breach was discovered. It paused all relevant contracts and blacklisted wallets tied to the attacker, which it says prevented the theft of another 40,000 rsETH worth roughly $95 million.
The stolen tokens were then deposited into Aave V3. The attacker supplied 89,567 rsETH worth around $221 million as collateral and borrowed 82,650 wrapped Ether and 821 wstETH, leaving those positions at very low health factors and putting Aave at risk of bad debt.
Nearly $10 billion in value has left Aave since the exploit took place.
Who Is Responsible?
LayerZero published a report criticizing Kelp DAO’s 1-of-1 DVN configuration, saying it created a single point of failure. It said Kelp had been advised to diversify its DVN setup but chose not to.
Kelp DAO pushed back, saying the 1-of-1 configuration is the default setup documented in LayerZero’s own documentation. Kelp said the setup was “affirmatively confirmed as appropriate” by LayerZero when it expanded to layer 2 networks.
Both parties say they are working together on a path forward.
Two Paths for Aave’s Losses
Aave’s risk management provider LlamaRisk has modeled two scenarios for how bad debt could play out, depending on decisions made by Kelp DAO.
The first scenario spreads losses across all rsETH holders on Ethereum mainnet and layer 2 networks equally. This would result in a 15% depeg of rsETH and around $123.7 million in bad debt for Aave. Ethereum’s core market would absorb the largest absolute loss at $91.8 million, though its reserves are deep enough to keep the shortfall at 1.54%.
Mantle would face the steepest proportional hit at 9.54% under this scenario.
The second scenario isolates all losses to layer 2 networks, leaving Ethereum mainnet rsETH fully backed. This results in a 73.54% haircut on layer 2 collateral and raises total bad debt to $230.1 million across markets on Mantle, Arbitrum, and Base.
Under the first scenario, Aave’s Umbrella security module holds $54 million that could act as a backstop. That would not apply under the second scenario.
Aave said the final outcome depends on how Kelp DAO updates its rsETH accounting and oracle exchange rate. The Aave DAO holds $181 million in treasury assets and has received commitments from ecosystem participants to support the protocol if bad debt materializes.
As of Monday, Kelp DAO said it is still assessing the financial impact and has not yet announced a loss allocation or recovery plan.
