Analysis of the $280 million KelpDAO rsETH attack and the AAVE bad debt crisis
Event Summary : On the afternoon of April 18, 2026, KelpDAO's rsETH liquid restaking token bridging mechanism was suspected of being attacked by a LayerZero cross-chain bridge vulnerability. The attacker minted and transferred approximately 116,500 rsETH (worth approximately $280-292 million) and subsequently deposited it into the Aave V3 lending market on Ethereum and Arbitrum, leading to the exposure of bad debts. Aave quickly froze rsETH holdings to curb the spread of losses, and the AAVE token price subsequently dropped by 10-13%. KelpDAO has urgently suspended core components of its protocol but has not yet issued an official statement. This incident highlights the systemic risks of liquid restaking tokens in DeFi composability. (Bitcoin.com News The Block)
Data is current as of 19:31 UTC on April 18, 2026. All sources are real-time reports from that day. The event is developing rapidly, and it is recommended to continuously monitor the KelpDAO and Aave governance channels.
Event Timeline
| Time (UTC) | event | detail |
|---|---|---|
| ~09:00 | Attacker's wallet pre-funding | Funding through the Tornado Cash 1 ETH pool is a common coin mixing and concealment technique. (The Block) |
| 17:35 | Core Drainage Transactions | The attacker invoked the `lzReceive` function of LayerZero EndpointV2, releasing 116,500 rsETH from the Kelp bridge contract to the attacker's address (transaction hash: 0x1ae232da212c45f35c1525f851e4c41d529bf18af862d9ce9fd40bf709db4222). The Block |
| ~18:00 | ZachXBT Alert | On-chain investigator ZachXBT posted on Telegram about six attack addresses that resulted in losses exceeding $280 million, without directly naming KelpDAO. (Bitcoin.com News) |
| 18:21 | KelpDAO paused | An emergency multisignature execution called `pauseAll`, suspending the LRT deposit pool, withdrawal contract, LRT oracle, and rsETH tokens. Two subsequent attack attempts failed. (The Block) |
| ~18:48 | Bad debts exposed | Onchain data confirms that Aave V3 has experienced bad debts in rsETH, with initial estimates exceeding $100 million, later revised to $280 million. (Bitcoinsistemi ) |
| 19:12 | Aave Freeze Operation | Aave's multi-signature safeguard mechanism freezes rsETH holdings in the lending market to prevent further losses. (Bitcoinsistemi ) |
This timeline is based on multi-source cross-validation and follows the classic attack playbook: fraudulent minting → deposit-loan amplification → rapid transfer. 116,500 rsETH represent approximately 18% of the circulating rsETH supply (total circulating supply approximately 630,000). (The Block CoinGecko)
Attack Mechanism Analysis
The attack targets KelpDAO's LayerZero OFT (Omnichain Fungible Token) cross-chain bridge, with rsETH deployed on over 20 chains (such as Base, Arbitrum, Linea, etc.). The vulnerability appears to be a flaw in the minting logic: attackers could mint unlimited amounts of rsETH without sufficient collateral, then deposit it into Aave V3 as collateral to borrow ETH and other assets, creating a chain of bad debts.
- Loss estimates : Community estimates range from $280 million to $293 million (equivalent to approximately 116,500 ETH), with one address holding approximately 120 million ETH on Aave. (Bitcoin.com News)
- Attacker activity : Funds were transferred rapidly; ZachXBT traced 6 addresses. No detailed report found for Peckshield/Slowmist (the incident is too recent).
- Historical Background : In April 2025, KelpDAO (a subsidiary of KernelDAO) experienced a bug in its fee contract that led to an over-issuance of rsETH, resulting in a suspension but no financial loss. This is the second such incident, exposing the risks associated with bridging and re-staking. (The Block)
Why is this important? Liquid restaking tokens are deeply embedded in DeFi portfolios (such as Aave lending), and a single vulnerability can spread across protocols/chains, amplifying systemic risks.
AAVE's Bad Debt Crisis and Response
The Aave V3 Ethereum/Arbitrum pool was severely impacted by fraudulent rsETH collateral, with bad debts rapidly escalating from 100 million to 280 million. Aave's multi-signature safeguard mechanism promptly froze rsETH, preventing further lending, but the debt had already become irrecoverable.
| Influence indicators | detail | source |
|---|---|---|
| bad debt scale | $100-293 million | Bitcoinsistemi The Block |
| Price reaction | AAVE fell 10-13%. | The Block Bitcoinsistemi |
| Response measures | Freeze rsETH holdings and monitor governance. | Bitcoinsistemi |
While the freeze has mitigated losses, bad debt resolution relies on KelpDAO for recovery or Aave's insurance fund/governance auction. The sharp drop in AAVE's price reflects market concerns about bad debt pressure, which, if not resolved quickly, could trigger a run on the bank.
Market and ecological impact
- Price Chain : rsETH is currently around $2500, with AAVE experiencing a sharp drop, triggering an immediate reaction. The attack exposes the pain points of L2/DeFi bridging, further raising questions about the security of LayerZero OFT.
- Ecosystem Warning : While the restaking narrative is gaining traction, bridge/minting vulnerabilities are frequently occurring. KelpDAO's suspension may impact rsETH liquidity, putting short-term pressure on Aave TVL.
- Data limitations : No official KelpDAO post-mortem or fund recovery updates; attacker's ETH holdings are unknown. This is a very recent event; audits by Peckshield and others have not yet released reports.
Risk Assessment and Outlook
| Risk factors | Severity | Details and impact |
|---|---|---|
| bad debt spread | high | If the Aave auction fails, TVL outflow will accelerate; similar holdings on Compound will also be exposed. (Bitcoin.com News) |
| Re-pledge trust | high | rsETH spans 20+ chains, amplifying portfolio risks; a second incident at Kelp may trigger a redemption wave. (The Block) |
| Bridge safety | middle | LayerZero's common targets; OFT requires urgent audit. |
| Market panic | middle | AAVE has already fallen by 10%, and if it doesn't recover, Lending TVL as a whole will decline by 5-10%. |
Positive factors : Aave/Kelp responded quickly, pausing and preventing further attacks; there is no historical precedent of users losing all their funds.
Outlook : AAVE faces short-term pressure; watch for recalls (being tracked by ZachXBT) and governance proposals. In the medium term, the restaking protocol needs strengthened bridge/oracle audits. Investors are hedging their rsETH exposure; observe Aave's insurance mechanism.
Conclusion : This $280 million attack is not an isolated incident, but a typical example of the double-edged sword of DeFi – innovation amplifies returns, but also amplifies risks. Aave's freeze was timely in stopping the bleeding, but resolving bad debts is crucial. If Kelp conducts a rapid audit/compensation, the impact is manageable; otherwise, it could affect the TVL of the Lending sector. It is recommended to track @KelpDAO , Aave governance, and the Etherscan attack address, as the event is highly dynamic.