Home
News
Details

116,500 rsETH stolen in Aave hack via LayerZero exploit

iconMetaEra
Share
Share IconShare IconShare IconShare IconShare IconShare IconCopy
This is the logo of the coin.
ETH
$2,396.873.21%
This is the logo of the coin.
AAVE
$94.1972.69%
AI summary iconSummary

expand icon
A DeFi exploit targeting LayerZero’s cross-chain messaging protocol resulted in a crypto hack in which 116,500 rsETH were forged and used as collateral on Aave to borrow WETH. The incident triggered a bad debt crisis, prompting Aave to freeze markets on Ethereum, Arbitrum, Base, Mantle, and Linea. The attack underscored risks associated with cross-chain bridges and LRTs, while Morpho’s isolated market design proved more resilient. Fluid Protocol responded by launching an aWETH redemption program for Aave users.
Liquidity in the entire lending market instantly seized up.

Author and source: 0x9999in1, ME News

TL;DR

  • Qualitative: The biggest black swan event of 2026. Attackers forged LayerZero cross-chain messages at zero cost, arbitrarily siphoning off 116,500 rsETH. This is not merely a code vulnerability, but a complete collapse of cross-chain trust mechanisms.
  • The chain of traps: the hacker’s target isn’t rsETH itself, but the real money in Aave. Using “air vouchers” as collateral, they borrowed massive amounts of WETH, leaving Aave with a huge uncollateralized bad debt black hole.
  • Architecture under scrutiny: Under stress testing, the underlying design of each protocol is revealed. Morpho’s “fully isolated markets” passed flawlessly with just $1 million in exposure; Aave’s “global liquidity” was forced into a full freeze, exposing systemic fragility.
  • Taking advantage of the chaos and self-rescue: Fluid swiftly launched an aWETH redemption protocol, precisely targeting Aave users affected by the incident, delivering a textbook example of a liquidity vampire attack.
  • Underlying reflection: The combination of LRT (Liquid Restaking) and cross-chain bridges (OFT) is creating "toxic asset derivatives" in the DeFi world. The higher the LEGO tower, the harder the fall. After the crisis, the reconstruction of cross-chain standards has become inevitable.

A Terrifying Weekend: When Alarms Echoed Across the Dark Web

Capital never sleeps. Neither do hackers.

On Saturday, the Ethereum network, normally like a precision printing press quietly processing blocks, was abruptly shattered by a set of bizarre transaction records. 116,500 rsETH. This was no small amount. It was astronomical.

Whose money is this? It’s the hard-earned liquidity restaking funds of Kelp DAO users.

How did it happen? Because the communication protocol of the LayerZero cross-chain bridge was tricked.

Imagine you’re the owner of a pawnshop. Someone walks in with a forged Swiss bank draft and calmly walks away with a ton of gold. That’s exactly what happened over the weekend. The hackers didn’t break into the vault or brute-force the underlying mathematics of smart contracts. Instead, they did something smarter—and far more deadly: they forged cross-chain messages from LayerZero.

The message says: "I deposited money on that chain; please lend me funds on this chain."

The bridge contract believed it. It obediently opened the gate.

116,500 rsETH have now flowed into the hacker’s wallet. This is the largest DeFi hack of 2026 so far. But note, this is only the beginning of the nightmare. The hacker isn’t after rsETH—a derivative token with strong business dependencies. They want hard currency. They want WETH.

Thus, the hunter’s sights turned to DeFi’s largest central bank—Aave.

Deadly Chain Reaction: Aave and the "Ghost Collateral"

The hacker's chain of logic is terrifyingly clear.

Step one: Create air. Fabricate rsETH out of thin air through a cross-chain bridge vulnerability.

Step two: Cash out the air. Deposit these ghost rsETH tokens, which have no underlying asset backing, into Aave.

Step three, drain the blood. Use rsETH as collateral to borrow WETH aggressively.

Aave's smart contracts understand math, but not human behavior, nor the hidden complexities behind cross-chain bridges. To Aave's oracles, rsETH's price remains pegged to Ethereum. Collateralization ratio healthy. Loan. Loan. Continue lending.

Crash. The building is about to fall.

By the time Kelp DAO and LayerZero realized what had happened, it was too late. Aave’s vault was filled with worthless “ghost rsETH,” while the genuine users’ white WETH had been completely swept away by the hacker.

What is this called? In traditional finance, this is called systemic bad debt. In DeFi, this is the beginning of a death spiral.

Aave's response was not slow. Freeze. Freeze everything. Ethereum, Arbitrum, Base, Mantle, Linea. All WETH reserves and rsETH assets across affected markets, whether V3 or V4, have been paused. Aave's official claim that "rsETH on mainnet is fully collateralized" rings hollow at this moment. While rsETH on mainnet is indeed backed, what about the rsETH generated across chains via the vulnerability? Who will fill the gap left by the drained WETH?

Aave has been forced into a "Schrödinger's bad debt" state. Until a full audit and fund recovery are completed, no one knows the true size of this black hole. As the foundational cornerstone of DeFi Lego, Aave's freeze has caused an immediate cardiac arrest in the liquidity of the entire lending market.

Isolation Pools and Chain Reactions: The Spectrum of DeFi

When the tide goes out, you can see not only who’s swimming naked, but also who built a boat with watertight compartments.

The rsETH incident was like a depth charge, exposing the vast differences in risk management architectures among DeFi protocols. In the face of sudden cross-chain toxic assets, each protocol's response served as a brutal financial survival guide.

Let’s lay out these protocols’ cards on the table with a chart.

Understood? This is the rule of the game for the second half of DeFi.

Morpho’s victory: Why does Morpho claim to be secure? Because they don’t play the “communal pot” game. Aave’s model pools all funds into one large pool—when one asset fails, the entire pool’s capital may be used to cover bad debts. Morpho, however, uses an “isolated markets” design. If you’re toxic, you’re stuck in your own small pool—my main road stays clear. A mere $1 million exposure is barely a scratch for Morpho. This is a dimension-lowering advantage in mechanism design.

Fluid’s strategy: While all protocols are on the defensive, Fluid has drawn its blade. They’ve announced the launch of the aWETH redemption protocol. What’s this move? It’s salt in Aave’s wound—and a blood draw for themselves. Your ETH is frozen in Aave and you can’t access it? No problem—Fluid will honor it. Transfer your debt to us, and we’ll instantly convert it to wstETH or weETH, unlocking your liquidity. With an initial capacity of $1 billion, it’s essentially shouting directly at Aave’s users: “Switch sides!” This is pure business warfare—cold, efficient, and hitting the pain point head-on.

Reserve's bottom line: Reserve's response showcased the elegance of structured finance. Even under extreme conditions, their DTF holders were nearly unaffected. Why? Because they designed RSR stakers as "first-loss capital." It’s like a bumper in a financial system—when a crash happens, the bumper breaks first, protecting the cabin.

Regarding statements from protocols such as Polygon, EtherFi, and Maple, these are primarily public relations efforts to reassure liquidity providers (LPs) within their respective ecosystems.

The source of the toxin: The fatal encounter between LRT nesting and cross-chain bridges

If you view this incident as just another ordinary hack, you're being naive. At its core, this is an inevitable collapse triggered by "over-financialization."

Let’s turn our attention to the main character of the event: rsETH.

What is rsETH? It is a liquid staking token (LRT) issued by Kelp DAO.

This thing is essentially a Russian doll. Users stake ETH on the Ethereum network to receive an LST (such as stETH), then stake that LST on protocols like EigenLayer to receive an LRT (such as rsETH).

Why go through all this trouble? For the yield. To extract every last bit of interest from Ethereum.

This in itself is not wrong. Capital seeks profit by nature. But the problem lies in the next step: cross-chain.

Due to the entrenched multi-chain landscape of DeFi, Kelp DAO has integrated LayerZero’s OFT (Omnichain Fungible Token) standard to enable rsETH to circulate across various L2s (Layer 2 networks).

Now the assets, which were previously protected by the robust consensus of the Ethereum mainnet, have had their security downgraded to that of the cross-chain bridge.

Did you notice? On a long chain of leverage, if just one link fails, the entire system collapses.

Cross-chain bridges have always been DeFi’s Achilles’ heel. From the 2022 Ronin heist ($625 million) to PolyNetwork and then Wormhole, history has repeatedly shown that transmitting asset ledgers worth billions between two mutually distrustful blockchains via a set of third-party nodes (relays/oracles) is an extremely risky endeavor.

LayerZero claims it “fully understands the vulnerability incident and is actively working with KelpDAO to fix it.” But we’ve heard this line too many times before. Fixing one vulnerability inevitably breeds the next due to the architecture’s complexity. When cross-chain messages can be forged, the OFT standard becomes a blank check open to arbitrary filling.

Epilogue: Who will pay the bill?

It has come to this—total chaos.

Who will fill the gap of 116,500 rsETH?

Is the Kelp DAO treasury footing the bill? Is LayerZero operating at a loss to gain traction? Are Aave’s governance token holders being forced to dilute their stakes to cover bad debt? Or will the ultimate burden fall on ordinary users—innocent bystanders who left their funds in the pool chasing a few percentage points of APY?

No one wants to be the sucker. But in the end of the game, someone always has to bleed.

What did this storm leave us with?

It declared in an extremely brutal way: in the dark forest of DeFi, there is no such thing as "too big to fail." Aave's global liquidity model proved too unwieldy in the face of extreme tail risk; Morpho’s isolated pool concept may be the right answer for the next cycle.

It also stripped away the veil from liquid staking derivatives (LRTs). We became obsessed with stacking LEGO blocks and chasing leveraged yields fabricated out of thin air, while ignoring the fact that the underlying foundation was already riddled with cracks. The bomb was already set when LRTs carrying cross-chain risks were allowed as collateral in top-tier blue-chip lending protocols.

There is nothing new under the sun. Code is law, but law always has loopholes.

When you peel back the layers of this financial facade, you’ll see it’s nothing more than an endless cat-and-mouse game between human greed and technological imperfection.

The next hand is already being dealt. Are you still at the table?

Source:

  1. Aave Governance Forum. (2026). "Incident Update: rsETH Market Freeze and Bad Debt Evaluation."
  2. Fluid Protocol Official Blog. (2026). "Introducing aWETH: Liquidity Redemption for ETH Lenders."
  3. Morpho Labs Security Post. (2026). "Post-Mortem Analysis: Why Isolated Markets Protected Morpho from the rsETH Exploit."
  4. LayerZero Communications. (2026). "Response to Kelp DAO rsETH Exploit and OFT Security Updates."
  5. Reserve Protocol Docs. (2026). "Understanding First-Loss Capital in DTF Mechanics."
Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.