Kelp DAO suffers $293 million exploit impacting DeFi liquidity and Aave's stability

This incident highlights systemic vulnerabilities in DeFi lending and cross-chain protocols, raising concerns about the stability of the entire ecosystem.

• On April 18, 2026, Kelp DAO suffered a $293 million exploit through a vulnerability in its LayerZero bridge.
• An attacker minted 116,500 unbacked rsETH tokens, representing 18% of the circulating supply, and used them as collateral on Aave.
• The exploit triggered a liquidity crisis, leading to over $6 billion in withdrawals from Aave and a $13 billion drop in total DeFi value locked (TVL).

• Liquid restaking protocols like Kelp DAO allow users to restake ETH while maintaining liquidity, but they come with inherent risks.
• Cross-chain bridges, particularly those using LayerZero, have been identified as high-risk areas in DeFi due to past verification flaws.
• Kelp's reliance on a single Decentralized Verifier Network (DVN) significantly increased its vulnerability, as it reduced security to one validator's key.

On April 18, 2026, at 17:35 UTC, an attacker exploited Kelp DAO's LayerZero bridge by sending a forged cross-chain message. This manipulation tricked the protocol into minting 116,500 unbacked rsETH tokens, valued at $293 million. The attacker then deposited these tokens as collateral on Aave V3 and V4, allowing them to borrow genuine Wrapped Ether (WETH) by exploiting the supply and borrow caps set by the protocol.

The exploit was executed with precision, as the attacker used a Tornado Cash-funded wallet to obscure their identity. Within 46 minutes of the initial exploit, Kelp's emergency multisig team froze core contracts, preventing two additional attempts to drain $80 million. Simultaneously, Aave's Guardian and Security Council intervened to freeze rsETH markets across its deployments.

The aftermath was swift and severe. Aave faced an estimated $177–236 million in bad debt, primarily linked to rsETH-WETH pairs. This prompted urgent governance discussions regarding potential mitigation strategies, including the deployment of an Umbrella insurance fund, user haircuts, or even hacker bounties. As a result, Aave's total value locked (TVL) plummeted from $26.4 billion to $18 billion, reflecting a significant loss of confidence in the platform.

The broader DeFi ecosystem was not spared; total TVL across all protocols contracted by $13 billion, as users rushed to withdraw their funds amid contagion fears. Protocols such as SparkLend, Fluid, Upshift, and Morpho took precautionary measures by isolating or pausing their exposure to rsETH. LayerZero attributed the breach to Kelp's single-DVN setup, while Kelp contested this, claiming it was an infrastructure attack rather than a flaw in their verification process.

The incident has raised alarms about the structural risks inherent in DeFi lending and restaking protocols, particularly as the sector continues to grow. The exploit underscores the need for enhanced security measures and diversified verification systems to protect against similar vulnerabilities in the future.

• DeFi investors: Those holding rsETH or involved in lending protocols face immediate financial exposure and potential losses.
• Aave users: Borrowers and liquidity providers on Aave may experience reduced liquidity and increased borrowing costs.
• Developers and protocol teams: Increased scrutiny and pressure to enhance security measures and governance frameworks.
• Regulatory bodies: Heightened interest in the risks associated with DeFi, potentially leading to new regulations.

• Governance proposals from Aave: Watch for decisions regarding bad debt mitigation strategies, as these will influence user confidence and liquidity.
• Market reactions to DeFi protocols: Monitor how other DeFi platforms respond to this incident, particularly regarding security upgrades and liquidity management.
• Regulatory developments: Keep an eye on potential regulatory responses to the exploit, which could reshape the DeFi landscape.