Aave Faces Up to $230M Risk After Kelp DAO and LayerZero Bridge Exploit

A recent DeFi exploit involving Kelp DAO and the LayerZero bridge has placed lending protocol Aave at risk of losses reaching as high as $230 million. The incident highlights growing concerns around cross-chain security, liquid restaking tokens, and systemic risks in decentralized finance.

According to a joint report by Aave Labs and LlamaRisk, the issue revolves around rsETH, a liquid restaking token issued by Kelp DAO. The exploit targeted the cross-chain bridge mechanism used to transfer rsETH between networks. Normally, tokens are locked on one blockchain while equivalent tokens are minted on another. However, the attacker manipulated this process by forging a transfer message that appeared legitimate, allowing unbacked tokens to be created.

As a result, approximately 116,500 rsETH were released on Ethereum without proper collateral backing. Instead of selling the assets, the attacker deposited 89,567 rsETH into Aave as collateral and borrowed around $190 million in ETH and other assets across Ethereum and Arbitrum. This move exposed Aave to potentially undercollateralized loans tied to compromised assets.

Aave responded quickly by freezing rsETH markets, setting loan-to-value ratios to zero, and halting new borrowing against the token. Despite these measures, the final financial impact depends on how Kelp DAO manages the deficit. If losses are distributed across all rsETH holders, the token could experience a 15% depeg, leading to an estimated $124 million in bad debt for Aave. If losses are isolated to Layer 2 networks, such as Arbitrum and Mantle, the bad debt could climb to $230 million.

The exploit underscores vulnerabilities in cross-chain messaging validation. While LayerZero itself was not directly compromised, weaknesses in Kelp’s verification process enabled the attack. Following the incident, Aave saw roughly $6 billion in total value locked withdrawn, signaling reduced user confidence.

With Kelp DAO’s treasury holding about $181 million, discussions are ongoing to resolve the situation. This event emphasizes the interconnected risks within DeFi ecosystems, particularly when relying on external protocols and bridges.