•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Decentralized lending platform Aave’s risk management provider has outlined two scenarios for how bad debt stemming from the Kelp DAO exploit over the weekend could affect the broader ecosystem, depending on how the losses are allocated.
The incident began on Saturday when hackers stole 116,500 Kelp DAO Restaked ETH (rsETH) tokens worth $293 million from Kelp DAO’s LayerZero-powered bridge. The stolen rsETH was then used as collateral on Aave V3 to borrow wrapped Ether (wETH).
On Monday, LlamaRisk modeled two possible outcomes for how this “bad debt” could materialize on Aave. The final decision, according to the modeling, rests with Kelp DAO.
The episode underscores contagion risk in decentralized finance (DeFi), where a bridge exploit can contribute to liquidity crunches and mass withdrawals across interconnected protocols. Aave has reportedly seen nearly $10 billion in value leave the protocol since the Kelp DAO exploit took place.
In the first scenario, losses would be distributed across all rsETH token holders on Ethereum mainnet and Ethereum layer 2 networks. LlamaRisk estimated this would result in roughly $123.7 million of bad debt on Aave, while also risking a 15% depeg in rsETH relative to Ether (ETH).
LlamaRisk said this approach would spread losses more thinly across chains. It also noted that wETH would “absorb the bulk in absolute terms but barely notice it relative to its reserve depth.”
Under this scenario, Aave could use its Umbrella security model to cover losses in wETH. The modeling cited that 18,922 Aave Wrapped ETH (aWETH) tokens worth nearly $43.7 million have entered the unstaking cooldown phase.
The second scenario would allocate the entire shortfall to Ethereum layer 2 networks, including Arbitrum and Mantle. LlamaRisk estimated the bad debt would be higher at $230.1 million.
LlamaRisk also noted that Aave has around $181 million in its treasury, which could be used to address a potential bad debt shortfall.
On Monday, Kelp DAO said it is still assessing the financial impact of the exploit and how to safely unpause the protocol. It added that it is working with Aave, LayerZero, and other stakeholders on a path forward.
Kelp DAO also provided additional details about the attack. It said two nodes tied to the LayerZero bridge were compromised, while a third was hit with a distributed denial-of-service attack.
According to Kelp DAO, the attacker forged a seemingly valid transfer message that the system approved, enabling 116,500 rsETH to be minted on one of LayerZero’s bridges.
Kelp said it paused all relevant contracts on Ethereum and Ethereum layer 2s and blacklisted all wallets tied to the exploiter shortly after, preventing another theft attempt involving 40,000 rsETH worth $95 million.
Premium gym chains are entering a “golden era” that is ending or already in decline, as rising operating costs collide with shifting consumer preferences toward more flexible, community-based ways to exercise. Long-term memberships are shrinking, margins are pressured by higher rents and facility expenses, and competition from smaller, more personalized…
