Home
News
Details

DeFi hack loses $292M via Kelp DAO rsETH bridge, Aave affected

iconOdaily
Share
Share IconShare IconShare IconShare IconShare IconShare IconCopy
This is the logo of the coin.
ETH
$2,314.74-0.77%
This is the logo of the coin.
AAVE
$96.1680.53%
AI summary iconSummary

expand icon
On-chain data reveals a $292 million DeFi exploit on April 19, 2026, following the compromise of the Kelp DAO rsETH bridge via LayerZero. The attackers received 1 ETH from Tornado Cash 10 hours prior to triggering the exploit. Kelp DAO paused rsETH contracts on both mainnet and Layer2. On-chain analysis shows the hackers exploited Aave V3, Compound V3, and Euler to borrow WETH, generating $236 million in debt. Aave froze its rsETH markets and confirmed no contract breach occurred; its Umbrella module may cover the bad debt, though the exact amount remains unclear.

Original | Odaily Planet Daily (@OdailyChina)

Author | Azuma (@azuma_eth)

On April 19, Beijing time, DeFi security suffered another major blow.

On-chain data shows that around 1:35 AM today, the rsETH bridge contract of Kelp DAO, the second-largest liquid staking protocol, built on LayerZero, was allegedly exploited by a hacker, resulting in the loss of 116,500 rsETH, worth approximately $292 million.

Continuing to trace on-chain records, the attacker address received an initial funding of 1 ETH from the mixer protocol Tornado Cash approximately 10 hours before the incident, after which the address called the lzReceive function on the LayerZero EndpointV2 contract; this call triggered Kelp’s bridge contract to transfer 116,500 rsETH to another attacker address.

Approximately two and a half hours after the incident, Kelp DAO confirmed on X that it had been attacked: "Earlier today, we detected suspicious cross-chain activity involving rsETH. During our investigation, we have paused the rsETH contracts on mainnet and multiple Layer2s. Our auditors are working closely with security experts from LayerZero and Unichain to closely monitor the situation. We will keep you updated with further developments—please follow our official channels."

After the incident, various DeFi projects and security organizations analyzed the cause. D2 Finance's analysis was frequently cited in the community—LayerZero Scan marked the endpoint of this source as Kelp DAO, indicating that the message originated from Kelp’s own legitimately deployed endpoint contract, and this path had previously recorded 308 message nonces. Therefore, the root cause of this attack was the compromise of the source chain’s private key.

TinyHumans AI developer Steven Enamakel added that the contract is secured only by a 1/1 validator set (DVN), meaning that a single erroneous transaction from the validator is sufficient to cause an issue.

Hackers exploited Aave to escape, reportedly causing bad debt.

Due to the limited trading liquidity of rsETH itself, the hacker chose an exit strategy of using lending protocols such as Aave to collateralize rsETH and borrow wETH, which has better trading liquidity.

PeckShield Alert monitoring shows that, as of 4:30 AM today, the hacker address has deposited the stolen rsETH into lending protocols such as Aave V3, Compound V3, and Euler, and has borrowed a large amount of WETH, with total debt exceeding $236 million—of which Aave alone accounts for $196 million, Compound for $39.4 million, and Euler for just $840,000.

Following the incident, Aave immediately froze the rsETH market on Aave V3 and V4. The team later issued an official statement on X: "Aave's contracts were not compromised; the attack was related to rsETH. Freezing rsETH was done to prevent new rsETH deposits and collateralized borrowing while the situation is assessed. We are reviewing rsETH borrowings on Aave that occurred after the attack and will share further details as soon as possible."

Shortly after the initial statement was released, Aave updated the post, adding at the end: "If this incident results in bad debt for the protocol, we will explore ways to cover the shortfall."

As of the time of writing, the exact amount of bad debt caused by this incident remains unclear.

monetsupply.eth, strategic lead at Spark, Aave’s direct competitor, said that if rsETH trades at a 19% discount (equivalent to 19% of the total rsETH supply being stolen), Aave could face over $100 million in bad debt due to highly leveraged circular lending.

However, Marc Zeller, founder of the Aave Chan Initiative (ACI), the representative governance team of the Aave ecosystem (who has announced his departure from Aave in July due to governance disagreements), offered a different perspective. Shortly after the incident, Zeller advised users to withdraw WETH from Aave V3 as soon as possible to avoid losses, and confirmed that the USDC and USDT markets on Aave were unaffected. In response to another user’s speculation that bad debt might reach hundreds of millions, he stated: “Far less than that number.”

But Marc Zeller also noted that it’s time to test Umbrella in a real production environment. Umbrella, Aave’s automated safety module, is essentially a reserve pool for covering bad debt—users can deposit assets into it to earn higher incentives, but the pool also assumes potential losses if the protocol incurs bad debt.

Aave protocol data shows that approximately $50 million worth of WETH is currently available within Umbrella to address potential bad debts from this event, though it is still uncertain whether this amount will be sufficient to cover the shortfall.

Affected by this event, AAVE dropped nearly 10% in the short term, trading at 104.6 USDT as of writing.

Another billion-dollar security incident in April

This is not the first major security incident this month.

On April 1, the Solana ecosystem derivatives trading protocol Drift Protocol suffered an attack, resulting in losses of up to $280 million (see April Fools’ Joke? Drift Protocol Stolen Over $280 Million, Possibly the Second-Largest DeFi Heist on Solana).

After the incident, Drift Protocol directly blamed the theft on "North Korean hackers," but fortunately, institutions such as Tether have pledged $147.5 million to compensate users, giving users at least some hope of recovery.

Just over ten days have passed, and another, larger hacking incident has occurred—how will this one end?

Are there still safe places in DeFi?

Security issues in DeFi are intensifying.

On one side, there are constant hacking incidents; on the other, ongoing security threats posed by AI systems like Mythos (see Odaily Interview with Yu Xian: How Did the Anthropic Nuclear-Level Model Leak Impact Crypto Security Defense?). For DeFi users, the previous response was to consolidate funds into well-audited, reputable top-tier protocols. But now, even Aave—a top protocol that retail users rarely suspect of issues—has been indirectly affected. Where else can users move their funds?

Personally, it is not currently recommended for users to keep large amounts of funds on-chain; if there is a genuine need, please ensure proper diversification and isolation of your positions.

As of publication, many details regarding this incident remain unclear. Odaily will continue to monitor developments—please stay tuned.

Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.