$292M exploit sparks dispute as Aave faces up to $230M risk from leveraged rsETH collateral exposure.
Kelp DAO has responded to mounting criticism following a major cross-chain bridge exploit that drained roughly $292 million in assets. Tensions have emerged between Kelp DAO and LayerZero over who is responsible for the breach. At the same time, the incident has created ripples across DeFi, particularly in Aave’s lending markets. Attention now turns to how losses will be handled and whether systemic risks can be contained.
LayerZero Points to Validation Failure in Kelp DAO Hack, Team Defends Setup
Kelp DAO issued a statement on Monday, seeking to distance itself from direct responsibility for the exploit. The breach occurred on April 18, when attackers siphoned 116,500 rsETH tokens from its LayerZero-powered bridge. That figure places the incident among the largest DeFi exploits recorded this year.
According to LayerZero, attackers gained access to critical infrastructure tied to its decentralized verified network (DVN). Investigators believe the group behind the exploit may be linked to North Korea’s Lazarus Group. R
Reports indicate that compromised RPC node data allowed attackers to poison two nodes. A coordinated DDoS attack then forced the DVN into accepting a fraudulent cross-chain message, which ultimately led to an unauthorized transaction being signed.
LayerZero’s report pointed to Kelp DAO’s use of a 1-of-1 DVN configuration as a key vulnerability. That setup meant only a single verification source was required to approve transactions. Without additional independent validators, the system lacked safeguards to detect manipulated messages. LayerZero stated that it had previously advised Kelp DAO to adopt a more distributed configuration.
https://t.co/3vIHs3Xgs4
— LayerZero (@LayerZero_Core) April 20, 2026
Kelp DAO pushed back against those claims. In its response, the team said the 1-of-1 DVN model followed LayerZero’s own default deployment settings. The protocol also noted ongoing communication with LayerZero since early 2024. During its expansion to Layer 2 networks, Kelp stated that the configuration had been reviewed and approved as suitable.
Kelp DAO Hack Spills Into Aave, Triggering $221M Collateral Risk Scenario
Efforts to manage the fallout began shortly after the exploit. Kelp DAO confirmed it paused affected contracts and blacklisted wallets linked to the attacker. Those steps helped limit further damage, though a large portion of funds had already been moved.
Consequences quickly extended beyond Kelp DAO’s ecosystem. A significant share of the stolen rsETH was deposited into the Aave V3 platform. The attacker used these assets as collateral to borrow large quantities of WETH and wstETH. Such activity raised concerns about potential bad debt within Aave’s lending pools.
Aave’s incident report detailed the scale of exposure. Data shows the attacker supplied 89,567 rsETH, valued near $221 million, as collateral. Against this, 82,650 WETH and 821 wstETH were borrowed. These positions now sit at dangerously low health factors, increasing the likelihood of liquidity shortfalls.
Aave has outlined two potential outcomes for how losses might be distributed. One scenario assumes losses are evenly distributed among all rsETH holders. Under this model, a 15.12% depeg would occur, creating approximately $123.7 million in bad debt. Ethereum would bear the largest absolute loss, though its liquidity depth could absorb much of the impact. Smaller networks like Mantle would face higher proportional strain.
An alternative scenario assumes losses remain isolated to Layer 2 deployments. In that case, L2 rsETH collateral would face a 73.54% haircut. Resulting bad debt could climb to $230.1 million across networks such as Arbitrum, Base, and Mantle. This outcome presents greater localized stress but leaves the Ethereum mainnet largely unaffected.
Aave’s $54M Safety Fund Faces Limits as Exploit Fallout Deepens
Aave noted that its $54 million WETH Umbrella fund could act as an initial buffer under the first scenario. However, that safeguard would not apply if losses are confined to Layer 2 markets. Final outcomes depend heavily on how Kelp DAO adjusts its accounting and oracle pricing mechanisms.
Despite uncertainty, Aave maintains a relatively strong financial position. The DAO currently holds around $181 million in assets. It also reported receiving support commitments from ecosystem participants should losses materialize.
Attention now shifts to coordination between Kelp DAO, LayerZero, and affected protocols. Clear decisions on loss allocation and recovery steps will shape the broader impact. For now, the incident serves as another reminder of the risks tied to cross-chain infrastructure and concentrated validation systems.