$291 million lost in 46 minutes, shaking the entire DeFi ecosystem—Aave unable to process withdrawals. Last Saturday evening, multiple on-chain analysts simultaneously noticed that 116,500 rsETH tokens, valued at approximately $291 million (around 9.3 billion THB), had vanished from Kelp DAO’s bridge within 46 minutes. But the damage had only just begun. Within the next 24 hours, the shockwave didn’t stop at Kelp—it spread to Aave, the largest lending platform in DeFi, triggering over $6.2 billion (roughly 210.8 billion THB) in total outflows. This became the “biggest DeFi hack of 2026,” surpassing the recent Drift Protocol incident earlier this month. 📌 Overview of the Event 🔹 Perpetrator: A wallet funded via Tornado Cash (a transaction obfuscation tool) approximately 10 hours before the attack. 🔹 Primary Victim: Kelp DAO, an Ethereum liquid restaking protocol that issues rsETH as a receipt for ETH deposits, enabling dual-layer yield generation. 🔹 Secondary Victims: Aave, Compound, and Euler—all of which accepted rsETH as collateral. How could a global bridge built on LayerZero, managing rsETH reserves across more than 20 chains, be compromised by just one fake message? And how could a vulnerability in a restaking project cause Aave—with over $26 billion in TVL—to experience a full-system withdrawal freeze? 1) Approximately 10 hours before Saturday – Preparation: Funds were deposited into the attacker’s wallet via Tornado Cash to cover gas fees and obscure transaction trails. 2) 17:35 UTC Saturday – Bridge Exploit: The hacker sent a “phantom message” to LayerZero EndpointV2, tricking it into believing a legitimate cross-chain command had been issued. As a result, Kelp’s bridge released 116,500 rsETH onto the Ethereum network without reducing the corresponding amount on the source chain—creating a single point of failure. 3) Immediately After – Conversion to Bad Debt: Instead of fleeing with the rsETH, the attacker used it as collateral on Aave V3/V4, Compound V3, and Euler to borrow WETH, generating what Francesco Andreoli of Consensys/MetaMask called “massive bad debt”—totaling over $236 million. 4) 18:21 UTC – Kelp Activates Emergency Protocol: 46 minutes after the bridge breach, Kelp DAO’s Emergency Multisig halted all rsETH smart contracts on Ethereum mainnet and all Layer-2 networks. 5) Saturday Night – On-chain Investigators Sound the Alarm: ZachXBT publicly posted alerts, prompting DeFi security teams worldwide to begin coordinated investigations. 6) Shortly After – Aave Locks Down rsETH Markets: Aave froze rsETH trading on both V3 and V4, followed by SparkLend, Fluid, and Lido Earn, which progressively suspended products involving rsETH. 7) Sunday Morning – Aave’s Main Lending Pool Hits 100% Utilization Rate: This meant users who had previously deposited ETH or wETH had almost no liquidity left to withdraw. 8) Sunday Afternoon – Withdrawal Run Turns Into a Wave: Users unable to withdraw turned to borrowing stablecoins using their deposits as collateral, further squeezing liquidity. 0xngmi, co-founder of DefiLlama, reported that Aave experienced a net outflow of $6.2 billion in a single day—equivalent to a -23% drop in TVL.. 9) The coin price began to rebound; AAVE dropped 16% to $90.13, and ETH fell 2% to $2,300 (approximately 73,800 THB). . 10) Justin Sun joined the conversation; the founder of Tron posted on X, proposing direct negotiations with the hacker, arguing that “in the end, the stolen funds are unusable, and it’s not worth taking down Aave and Kelp DAO together.” . 11) Ongoing operations were blocked; the hacker attempted to drain an additional two rounds of rsETH, totaling over 40,000 tokens (approximately $100 million), but was immediately blocked after Kelp paused the contract. . 12) Statements from Kelp DAO and LayerZero: Both parties are conducting a Root Cause Analysis (RCA) jointly with Unichain, auditors, and SEAL Org, a blockchain security incident response team. . 🔍 Implications Revealing DeFi Structural Vulnerabilities . This incident exposes two major vulnerabilities simultaneously. First, the risk inherent in cross-chain bridges: even if code on a single chain is secure, communication across chains introduces critical failure points in message verification systems—similar patterns have been seen previously in Ronin, Wormhole, and Nomad. Second, the over-reliance on a single collateral asset across multiple protocols: when rsETH encountered issues, Aave, Compound, and Euler were immediately affected—even though their own contracts were not directly compromised. . Kelp DAO’s direct losses amount to $292 million, approximately $250 million of which has already been converted to ETH. Aave’s specific bad debt stands at around $196 million, potentially exceeding the coverage capacity of the Umbrella Reserve (Aave’s compensation fund), meaning stkAAVE holders (those who stake AAVE to secure the system) may need to absorb the remaining losses. . A thought-provoking question: If today you were an ETH depositor in Aave unable to withdraw your funds simply because someone else deposited counterfeit assets into the same pool—would you still trust cross-chain DeFi? . #KelpDAO #Aave #DeFi #rsETH #LayerZero