Kelp DAO's rsETH bridge hit in $292M exploit; attacker borrows WETH on Aave, markets frozen

A major DeFi security incident unfolded on April 19 (Beijing time) after Kelp DAO's rsETH bridge contract—built on LayerZero and tied to the protocol described as the second-largest liquid staking project—was allegedly exploited. Onchain data indicates the attacker siphoned about 116,500 rsETH, valued near $292 million, around 1:35 a.m. Transaction traces show the attacker address received 1 ETH roughly 10 hours earlier from the mixer Tornado Cash, then invoked the lzReceive function on the LayerZero EndpointV2 contract. That call prompted Kelp's bridge contract to transfer 116,500 rsETH to another attacker-controlled address. About two and a half hours later, Kelp DAO confirmed the attack on X, saying it detected suspicious cross-chain activity involving rsETH and had paused rsETH contracts on mainnet and multiple Layer2 networks while auditors coordinated with security experts from LayerZero and Unichain. The team said it would provide updates via official channels. Post-incident analysis circulated widely in the community. D2 Finance argued that LayerZero Scan identified Kelp DAO as the endpoint source and that the message appeared to originate from Kelp's legitimately deployed endpoint contract, with the pathway previously logging 308 message nonces. Based on this, the analysis attributed the incident to a compromise of the source chain's private key. TinyHumans AI developer Steven Enamakel added that the setup was secured by a 1/1 validator set (DVN), meaning a single incorrect validator transaction could be enough to trigger failure. With rsETH liquidity limited, the attacker reportedly sought an exit by using lending markets—depositing rsETH as collateral and borrowing the more liquid WETH. PeckShield Alert said that by 4:30 a.m., the attacker had deposited stolen rsETH into Aave V3, Compound V3, and Euler, borrowing WETH with total debt exceeding $236 million. Aave accounted for about $196 million, Compound about $39.4 million, and Euler roughly $840,000. Aave responded by freezing the rsETH market on Aave V3 and V4. In a statement on X, the team said Aave's contracts were not compromised and that the incident was related to rsETH; the freeze was intended to block new rsETH deposits and collateralized borrowing while the situation was assessed. Aave said it was reviewing rsETH borrowings that occurred after the exploit and would share more details. The protocol later updated the post, adding that if the incident created bad debt, it would explore ways to cover any shortfall. As of publication, the size of any resulting bad debt remains uncertain. monetsupply.eth, strategic lead at Spark (an Aave competitor), said that if rsETH traded at a 19% discount—equating that to 19% of total rsETH supply being stolen—Aave could face more than $100 million in bad debt due to highly leveraged circular lending. Marc Zeller, founder of the Aave Chan Initiative (ACI) and a key governance figure who has said he will leave Aave in July amid governance disputes, pushed back on extreme estimates. Shortly after the exploit, he urged users to withdraw WETH from Aave V3 to reduce risk and said Aave's USDC and USDT markets were unaffected. Responding to speculation that bad debt could reach hundreds of millions, Zeller said: “Far less than that number.” Zeller also said the event would effectively test Umbrella, Aave's automated safety module designed as a reserve pool to absorb bad debt. Protocol data shows roughly $50 million of WETH available in Umbrella to address potential losses tied to the incident, though it remains unclear whether that would be sufficient. Market reaction was swift. AAVE fell nearly 10% intraday, trading around 104.6 USDT at the time of writing. The incident follows another major April security event. On April 1, Solana-based derivatives platform Drift Protocol was attacked, with losses reported as high as $280 million. Drift attributed the theft to "North Korean hackers," and organizations including Tether pledged $147.5 million toward user compensation. With details of the Kelp DAO exploit still emerging, concerns are growing about the security outlook for DeFi amid frequent hacks and rising threats linked to AI systems such as Mythos. The original report argued that users may need to reduce large onchain exposures and, where necessary, diversify and isolate positions. Further updates are expected as investigations continue.