Table of Contents
ToggleOn April 21, Aave released an update on the rsETH incident on its governance forum, citing an assessment report from risk service provider LlamaRisk and formally proposing two bad debt handling solutions. The two sets of figures differ by nearly $100 million—this choice will determine who ultimately bears the cost of the biggest DeFi attack of 2026.
The root of the incident can be traced back to April 18th. Attackers exploited a vulnerability in Kelp's LayerZero V2 cross-chain bridge to mint 116,500 rsETH without any corresponding destruction, directly undermining the backing of rsETH and triggering a chain reaction of collateral crisis on Aave.
Two plans, one political question
The two scenarios listed in the LlamaRisk report are essentially a political question about risk allocation: should the losses be borne by everyone, or only by holders on a specific chain?
Scenario 1 advocates for "socialized loss," with all rsETH holders across the entire chain sharing the burden. The report estimates that approximately 15% of rsETH will decouple, causing about $124 million in bad debt for Aave. The logic behind this plan is risk-sharing, but the cost is that even rsETH holders on the Ethereum mainnet will be affected.
Scenario 2 advocates "L2 isolation," limiting losses to rsETH on the L2 chain while retaining the full rsETH on the Ethereum mainnet. This sounds fairer, but the numbers are actually worse when calculated: cross-chain collateral is subject to a 73.54% haircut, causing Aave's estimated bad debt burden to surge to approximately $230.1 million, with the Mantle chain accounting for 71.45% of the shortfall and Arbitrum for 26.67%.
Scenario 1: 15% decoupling, bad debts of $124 million
The core logic of the socialized solution is to have all rsETH holders proportionally share the losses caused by the tokens fabricated by the attacker. LlamaRisk estimates that this will result in a systemic decoupling of approximately 15% of rsETH, ultimately leading to a loss of approximately $124 million for the Aave protocol.
While this number is large, compared to scenario two, it's still the lesser of two evils. The question is, are rsETH holders who have never operated near L2 cross-chain bridges on the Ethereum mainnet willing to pay for the cross-chain risks of others? This political question is more difficult to answer than the technical one.
Scenario 2: L2 isolation, yet bad debts surge to $230 million
The seemingly "precisely segmented" L2 isolation solution has even more alarming figures. The report shows that once the 73.54% haircut is used to discount cross-chain collateral, Aave's gaps on both L2 chains will be concentrated: the Mantle chain will bear about 71.45% of the loss gap, while the Arbitrum chain will account for 26.67%.
In total, Aave's estimated bad debt is approximately $230.1 million—nearly $100 million more than Scenario One.
Behind the numbers lies another point of tension: the Aave DAO protocol's vault currently holds approximately $181 million. This means that if scenario two is adopted, the DAO vault will not only be completely depleted, but will also have a shortfall of approximately $49 million, requiring external funding to fill the gap.
The $124 million loss in Scenario 1 could be partially absorbed by the vault; however, the $230 million loss in Scenario 2 directly cornered the DAO.
Aave stated that DAO service providers, together with ecosystem participants, have led efforts to cover bad debts and have secured several initial commitments from various parties. However, the specific amounts and sources of these commitments have not yet been publicly disclosed.
The final choice between the two scenarios is expected to be decided through an Aave governance vote. Community members holding AAVE tokens will cast their crucial vote in this allocation of over $200 million in costs.
Related reports
A comprehensive review of the KelpDAO incident
Ethena, ether.fi, and 10+ other DeFi protocols cut off Layer Zero.
The $292 million vulnerability in Kelp DAO was warned of 12 days ago.
