•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
A recent decentralized finance (DeFi) exploit involving Kelp DAO and the LayerZero bridge has put lending protocol Aave at risk of losses that could reach as high as $230 million, according to a joint report by Aave Labs and LlamaRisk. The incident has renewed concerns about cross-chain security, liquid restaking tokens, and systemic risk across interconnected DeFi platforms.
The issue centers on rsETH, a liquid restaking token issued by Kelp DAO. The exploit targeted the cross-chain bridge mechanism used to move rsETH between networks. Under normal operation, tokens are locked on one blockchain while equivalent tokens are minted on another.
In this case, the attacker forged a transfer message that appeared legitimate, enabling unbacked rsETH to be created on the destination network.
As a result, approximately 116,500 rsETH were released on Ethereum without proper collateral backing. Rather than selling the assets, the attacker deposited 89,567 rsETH into Aave as collateral.
The attacker then borrowed around $190 million in ETH and other assets across Ethereum and Arbitrum, creating exposure for Aave to potentially undercollateralized loans tied to the compromised token.
Following the incident, Aave moved quickly to limit further damage. It froze rsETH markets, set loan-to-value ratios to zero, and halted new borrowing against the token.
The final impact for Aave depends on how Kelp DAO manages any resulting deficit. If losses are distributed across all rsETH holders, the token could face a 15% depeg, which the report estimates could translate into about $124 million in bad debt for Aave.
If losses are isolated to Layer 2 networks, such as Arbitrum and Mantle, the report estimates bad debt could rise to as much as $230 million.
The report notes that LayerZero was not directly compromised; instead, weaknesses in Kelp’s verification process enabled the attack. After the exploit, Aave saw roughly $6 billion in total value locked withdrawn, reflecting reduced user confidence.
Kelp DAO’s treasury holds about $181 million, and discussions are ongoing to resolve the situation. The incident highlights how vulnerabilities in cross-chain messaging validation can propagate risk through DeFi ecosystems, particularly when protocols rely on external bridges and third-party token mechanisms.
Premium gym chains are entering a “golden era” that is ending or already in decline, as rising operating costs collide with shifting consumer preferences toward more flexible, community-based ways to exercise. Long-term memberships are shrinking, margins are pressured by higher rents and facility expenses, and competition from smaller, more personalized…
