Kelp DAO suffers $292 million exploit impacting Aave protocol

This incident underscores vulnerabilities in cross-chain protocols, potentially shaking confidence in decentralized finance.

• Kelp DAO suffered a $292 million exploit on April 18, 2026, through its LayerZero bridge, minting unbacked rsETH tokens.
• Aave faced approximately $196 million in bad debt after these tokens were used as collateral to borrow real ETH, triggering liquidity crises.
• DeFi United formed to address the fallout, pledging over $160 million to cover the shortfall without treasury emissions.

• Kelp DAO operates as a liquid restaking protocol, allowing users to earn yields while maintaining liquidity, which is crucial in the current DeFi landscape.
• LayerZero's single-verifier setup was exploited, despite prior warnings, highlighting risks in cross-chain configurations as protocols expand across multiple networks.
• Aave's liquidity crisis led to $18 billion in outflows, reducing its total value locked (TVL) from $48.5 billion to $30.7 billion, indicating a significant loss of trust in the platform.

On April 18, 2026, at 17:35 UTC, attackers exploited vulnerabilities in Kelp DAO's LayerZero bridge by forging a cross-chain message. This action led to the minting of 116,500 unbacked rsETH tokens, valued at $292 million. These tokens were then deposited on Aave V3 as collateral to borrow approximately $196 million in ETH. The exploit occurred amid a booming restaking sector, where protocols like Kelp were rapidly expanding their multi-chain deployments across over 20 networks, including Arbitrum, Base, and Mantle.

Kelp DAO paused its core contracts shortly after the exploit was detected at 18:21 UTC. In response, Aave and other protocols froze rsETH markets within hours, averting immediate liquidations but triggering a massive liquidity crisis. The incident resulted in an estimated $18 billion in outflows from Aave, significantly reducing its TVL. Incident reports from Aave Labs and LlamaRisk estimated the bad debt at between $124 million and $230 million, indicating the scale of the financial impact.

In the aftermath, Arbitrum's Security Council took action by freezing $71 million in linked ETH to mitigate further losses. By April 23, DeFi United was formed under Aave leadership to coordinate recovery efforts. This coalition included significant pledges from various protocols, such as Aave's 25,000 ETH (approximately $58 million), Mantle's 30,000 ETH loan, and Lido's 2,500 stETH (valued at $5.8 million), totaling over $160 million in community contributions by April 26.

The exploit has drawn attention to the vulnerabilities inherent in cross-chain bridges, particularly those relying on single-verifier setups. LayerZero attributed the attack to North Korea's Lazarus Group, suggesting that sophisticated actors are increasingly targeting DeFi protocols. The incident has raised questions about the security measures in place across the DeFi landscape and the potential for future exploits.

• DeFi Users: Those who use Aave and similar platforms may face reduced liquidity and borrowing options.
• Investors: Holders of AAVE tokens experienced an initial decline of 18-20% in value, impacting their portfolios.
• Developers: Teams working on cross-chain protocols may need to reassess security measures and configurations to prevent similar exploits.
• Regulators: Increased scrutiny on DeFi protocols may arise, leading to potential regulatory changes affecting operations.

• Recovery Fund Progress: Monitor how effectively DeFi United manages the recovery fund and whether it can stabilize Aave's liquidity. This will indicate the resilience of community-driven recovery efforts.
• Security Enhancements: Watch for announcements regarding security upgrades across cross-chain protocols, particularly those using LayerZero technology. This will reveal how the industry adapts to vulnerabilities.
• Market Reactions: Observe the price movements of AAVE and other DeFi tokens in the wake of this exploit. Significant fluctuations could signal ongoing market instability or recovery.