Decentralized lending platform Aave is assessing the fallout from a weekend exploit involving Kelp DAO, with its risk management partner outlining two potential bad-debt scenarios depending on how losses are ultimately distributed.
The incident began Saturday, when attackers drained 116,500 Kelp DAO Restaked ETH (rsETH) — valued at about $293 million — from a LayerZero-powered bridge. The stolen assets were then posted as collateral on Aave V3 to borrow wrapped Ether (wETH).
By Monday, LlamaRisk had modeled two ways the resulting bad debt could impact Aave, noting that the final outcome hinges on decisions made by Kelp DAO.
The episode underscores systemic risk in DeFi: a single bridge exploit can cascade across interconnected platforms, potentially triggering liquidity stress and large-scale withdrawals. Since the attack, Aave has reportedly seen nearly $10 billion in value exit the protocol.
Two scenarios and possible paths forward
In the first scenario, losses would be distributed across all rsETH holders on Ethereum mainnet and its layer-2 networks. This would leave roughly $123.7 million in bad debt on Aave and could push rsETH to trade at about a 15% discount to Ether.
According to LlamaRisk, this approach spreads the impact more evenly across chains. While Wrapped Ether would absorb most of the losses in absolute terms, its deep liquidity means the effect would be relatively limited. Aave could also tap its Umbrella security module to offset part of the damage, with around 18,922 aWETH — worth nearly $43.7 million — already in the unstaking cooldown phase.
The second scenario concentrates the entire shortfall on layer-2 networks such as Arbitrum and Mantle. While this avoids spreading losses system-wide, it would result in a much larger bad debt figure of approximately $230.1 million.
LlamaRisk added that Aave’s treasury, which holds about $181 million, could be deployed as a backstop to help cover any remaining deficit.
On Monday, Kelp DAO said it is still evaluating the financial fallout from the exploit and working on a safe way to resume operations. The team added that it is coordinating with Aave, LayerZero and other stakeholders to determine the best path forward.
Kelp DAO reveals more about the exploit
Kelp DAO disclosed that the attack stemmed from the compromise of two nodes connected to the LayerZero bridge, while a third node was disrupted by a distributed denial-of-service (DDoS) attack.
By exploiting this setup, the attacker was able to fabricate a transfer message that appeared legitimate, which the system accepted—allowing 116,500 rsETH tokens to be minted on a LayerZero bridge.
In response, Kelp DAO quickly paused all affected smart contracts across Ethereum mainnet and its layer-2 networks, and blacklisted wallets linked to the attacker. These actions prevented an additional 40,000 rsETH—worth around $95 million—from being drained.
