Key Takeaways
- On April 18, attackers compromised Kelp DAO’s LayerZero bridge, making off with 116,500 rsETH tokens valued at approximately $292 million
- The exploiter leveraged the stolen assets as collateral within Aave V3 to extract wrapped Ether
- LlamaRisk, Aave’s risk management provider, has identified two potential bad debt outcomes: $123.7 million or $230.1 million
- A dispute has emerged between Kelp DAO and LayerZero regarding the security configuration that enabled the breach
- Aave maintains $181 million in reserve funds that could serve as a safety net
The decentralized finance sector witnessed its most significant security breach of 2026 on April 18, as Kelp DAO fell victim to an attack that resulted in the theft of 116,500 rsETH tokens—a haul worth approximately $292 million—from its cross-chain bridge powered by LayerZero technology.
According to LayerZero’s investigation, the perpetrator—suspected to be the notorious North Korean hacking collective Lazarus Group—successfully infiltrated a roster of RPC nodes operating within its decentralized verified network infrastructure. The attack methodology involved compromising two nodes while simultaneously overwhelming a third with a distributed denial-of-service assault, effectively manipulating the system into validating a fraudulent cross-chain transaction that generated 116,500 rsETH tokens.
Kelp DAO responded swiftly once the security compromise came to light. The protocol immediately suspended all affected smart contracts and implemented wallet blacklisting measures targeting addresses associated with the attacker, a defensive action that successfully protected an additional 40,000 rsETH—approximately $95 million in value—from being stolen.
The compromised tokens subsequently found their way into Aave V3. The attacker deposited 89,567 rsETH valued at roughly $221 million as collateral backing, then proceeded to borrow 82,650 wrapped Ether along with 821 wstETH, creating positions with dangerously low health factors that now threaten Aave with substantial bad debt exposure.
In the wake of this exploit, nearly $10 billion in total value has been withdrawn from Aave protocol.
The Accountability Debate
LayerZero released an analysis placing blame on Kelp DAO’s implementation of a 1-of-1 DVN (Decentralized Verifier Network) configuration, characterizing it as establishing a critical vulnerability. The report stated that Kelp had received recommendations to implement a more diverse DVN architecture but declined to do so.
Kelp DAO has contested this characterization, asserting that the 1-of-1 configuration represents the standard setup outlined in LayerZero’s official technical documentation. According to Kelp, this configuration received explicit approval from LayerZero during the protocol’s expansion into layer 2 network environments.
Both organizations have stated their commitment to collaborative resolution efforts.
Aave’s Bad Debt Projection Models
LlamaRisk, serving as Aave’s risk management partner, has constructed two distinct scenarios projecting potential bad debt outcomes based on decisions yet to be finalized by Kelp DAO.
The first projection model distributes losses uniformly among all rsETH token holders across Ethereum mainnet and layer 2 networks. This approach would trigger a 15% devaluation of rsETH and generate approximately $123.7 million in bad debt exposure for Aave. Ethereum’s primary market would shoulder the largest nominal loss at $91.8 million, though its substantial reserve capacity would limit the relative shortfall to just 1.54%.
Mantle network would experience the most severe proportional impact in this scenario, facing a 9.54% hit.
The alternative projection concentrates all losses exclusively within layer 2 networks, maintaining full backing for Ethereum mainnet rsETH holdings. This scenario produces a devastating 73.54% reduction in layer 2 collateral value and escalates total bad debt exposure to $230.1 million spanning Mantle, Arbitrum, and Base networks.
In the first scenario, Aave’s Umbrella security module contains $54 million available for deployment as protective capital. This safety mechanism would not be applicable under the second scenario’s parameters.
Aave has clarified that the ultimate outcome hinges on Kelp DAO’s forthcoming decisions regarding rsETH accounting methodology and oracle exchange rate adjustments. The Aave DAO currently controls $181 million in treasury reserves and has secured pledges from ecosystem stakeholders to provide support should bad debt materialize.
As of Monday, Kelp DAO indicated that financial impact assessment remains ongoing, with no announcement yet made regarding loss distribution strategy or asset recovery planning.
