DeFi security faced another major setback after Kelp DAO suffered a massive exploit involving its rsETH bridge contract, resulting in losses worth nearly $292 million. The incident quickly spread concern across the crypto market, especially after the stolen assets were moved into Aave and other major lending protocols, raising fears of bad debt and wider protocol risk.
What Happened in the Kelp DAO Hack?
The Kelp DAO hack happened when attackers exploited the rsETH bridge contract built on LayerZero and stole around 116,500 rsETH, valued at approximately $292 million. On-chain records showed the attacker triggered the lzReceive function through LayerZero’s EndpointV2 contract, allowing the bridge to transfer the assets to a wallet under the hacker’s control.
How Did the Hack Happen?
The hack happened because security researchers believe the source chain private key was compromised, allowing a legitimate-looking malicious message to pass through the bridge system. Since the contract was protected by a 1/1 validator setup, a single compromised validator created a dangerous single point of failure that made the exploit possible.
Why Did Aave Become Involved?
Aave became involved because the hacker used the stolen rsETH as collateral to borrow large amounts of WETH with stronger liquidity. By depositing the stolen assets into Aave V3, Compound V3, and Euler, the attacker borrowed more than $236 million, with Aave alone accounting for nearly $196 million of the total exposure.
How Did Aave Respond to the Attack?
Aave responded by freezing the rsETH markets on both V3 and V4 to stop new deposits and prevent further borrowing against the affected asset. The team clarified that Aave itself was not directly exploited, but because the protocol could still face bad debt from the borrowed funds, it also prepared to use its Umbrella safety module to help cover potential losses.
Why Is This Hack Important?
This hack is important for DeFi because it shows how a failure in one protocol can quickly spread risk across multiple major platforms. Even though the exploit started at Kelp DAO, the movement of stolen funds into lending protocols like Aave created broader concerns about liquidity, collateral safety, and whether even top-tier DeFi platforms can fully protect users from indirect exposure.
Conclusion
The Kelp DAO exploit became one of the largest DeFi hacks of the year, not only because of the $292 million loss but because of how quickly it affected major protocols like Aave. It highlighted how bridge security failures can trigger wider market stress and reminded users that even leading DeFi platforms remain vulnerable to risks beyond their own smart contracts.
