Decentralized lending platform Aave is assessing the fallout from a major exploit involving Kelp DAO, after attackers stole 116,500 Restaked Ether (rsETH) tokens valued at approximately $293 million. The breach began over the weekend when compromised nodes linked to a LayerZero powered bridge allowed the attacker to forge a transfer message that appeared legitimate, enabling the minting of rsETH tokens.
The stolen tokens were later used as collateral on Aave V3 to borrow wrapped Ether (wETH), creating a potential bad debt situation within the lending protocol. Following the attack, Kelp DAO paused affected smart contracts across Ethereum mainnet and several layer 2 networks and blacklisted wallets connected to the exploiter, preventing an additional theft of about 40,000 rsETH worth an estimated $95 million.
Two Bad Debt Scenarios Highlight Potential DeFi Contagion Risks
Risk management firm LlamaRisk modeled two possible outcomes for handling the losses. The first scenario spreads the shortfall across rsETH holders on Ethereum and layer 2 networks, resulting in around $123.7 million in bad debt but risking a 15% depeg of rsETH from Ether. Under this model, Aave’s Umbrella security system and unstaking reserves, including 18,922 aWETH tokens valued near $43.7 million, could help absorb losses.
The second scenario shifts all losses to layer 2 networks such as Arbitrum and Mantle, increasing potential bad debt to approximately $230.1 million but reducing risks to Ethereum mainnet. Aave’s treasury, holding about $181 million, may also be used to manage the financial impact as Kelp DAO continues working with partners to determine the safest recovery path.
Disclaimer
This content is for informational purposes only and does not constitute financial, investment, or legal advice. Cryptocurrency trading involves risk and may result in financial loss.