🚨 Kelp DAO hacked for $292M, Aave caught in the crossfire #5PC This morning (April 19) at approximately 0:35 VN time, the rsETH bridge contract of Kelp DAO (the second-largest liquid restaking protocol after https://t.co/4ePd4lro3h, built on LayerZero) was exploited by a hacker, resulting in a loss of 116,500 rsETH ($292M). The hacker withdrew 1 ETH from Tornado Cash to cover gas fees and gained control of the bridge (initial analysis suggests the private key was compromised). They then used this key to forge a transfer request via LayerZero, draining all 116,500 rsETH to their own address. The attack succeeded so easily because the bridge relied on a single validator (1/1 DVN) with no cross-checks. The hacker later attempted to withdraw an additional 40,000 rsETH (~$100M), but failed as Kelp had promptly paused all contracts. Since rsETH has low liquidity and cannot be sold directly, the hacker opted to collateralize rsETH across lending protocols and borrowed wETH. By 2:30 AM VN time today, the total debt created by the hacker exceeded $236M: - Aave V3: $196M - Compound V3: $39.4M - Euler: $840K Aave has frozen the rsETH market on both V3 and V4, confirming its contracts were not hacked, and pledged to cover any potential bad debt. According to estimates from Spark (Aave’s direct competitor), if rsETH’s price drops by 19% (reflecting the stolen amount as 19% of total rsETH supply), Aave could face over $100M in bad debt due to high-leverage looping borrowings. Both $KERNEL and $AAVE have dropped more than 10% following the hack.