$292M Kelp DAO Security Breach Leaves Aave Facing Massive Bad Debt Exposure

Key Takeaways

• On April 18, cybercriminals exploited Kelp DAO’s LayerZero bridge, making off with 116,500 rsETH tokens valued at approximately $292 million
• The stolen assets were leveraged as collateral on Aave V3, enabling the withdrawal of wrapped Ether
• Aave faces potential bad debt ranging from $123.7 million to $230.1 million, according to risk assessments
• A dispute has erupted between Kelp DAO and LayerZero regarding the vulnerable 1-of-1 DVN security setup
• Aave maintains $181 million in reserve funds that could serve as emergency protection

In what marks the most significant DeFi security breach of 2026 to date, Kelp DAO fell victim to a sophisticated attack on April 18 that resulted in the theft of 116,500 rsETH tokens, representing approximately $292 million in value from its LayerZero-integrated cross-chain bridge infrastructure.

According to LayerZero’s analysis, the perpetrators—suspected to be the notorious Lazarus Group operating out of North Korea—successfully compromised a roster of RPC nodes utilized by the decentralized verified network. The attackers poisoned two nodes while simultaneously launching a distributed denial-of-service (DDoS) attack against a third node, effectively deceiving the system into validating a fraudulent cross-chain message that authorized the creation of 116,500 rsETH.

Kelp DAO responded swiftly upon detecting the security breach. The team immediately suspended all affected smart contracts and implemented blacklist measures against wallets connected to the attacker, a defensive action that reportedly prevented the additional loss of 40,000 rsETH, equivalent to approximately $95 million.

The compromised tokens were subsequently deposited into Aave V3. The perpetrator supplied 89,567 rsETH—worth roughly $221 million—as collateral to borrow 82,650 wrapped Ether plus 821 wstETH, creating positions with critically low health factors that now expose Aave to substantial bad debt risk.

Since the exploit occurred, Aave has experienced an exodus of nearly $10 billion in total value locked.

The Blame Game Intensifies

LayerZero released a detailed report pointing fingers at Kelp DAO’s 1-of-1 DVN configuration, characterizing it as a critical single point of failure. The company claims Kelp had received recommendations to implement a more diversified DVN architecture but declined to act on this guidance.

Kelp DAO has contested this narrative, asserting that the 1-of-1 configuration represents the standard default setup explicitly outlined in LayerZero’s official documentation. Kelp maintains that LayerZero “affirmatively confirmed as appropriate” this configuration during Kelp’s expansion into layer 2 network deployments.

Both organizations have stated their commitment to collaborative resolution efforts.

Aave’s Bad Debt Scenarios Analyzed

LlamaRisk, Aave’s risk management partner, has constructed two distinct scenarios projecting potential bad debt outcomes based on Kelp DAO’s forthcoming decisions.

The first pathway distributes losses uniformly across all rsETH holders on both Ethereum mainnet and layer 2 networks. This approach would trigger a 15% depegging of rsETH and generate approximately $123.7 million in bad debt for Aave. Ethereum’s primary market would shoulder the largest nominal loss at $91.8 million, though its substantial reserves would limit the deficit to just 1.54% of holdings.

Mantle would experience the most severe proportional impact at 9.54% under this scenario.

The alternative pathway concentrates all losses exclusively on layer 2 networks while maintaining full backing for Ethereum mainnet rsETH. This would impose a devastating 73.54% haircut on layer 2 collateral and escalate total bad debt to $230.1 million spread across Mantle, Arbitrum, and Base markets.

Under the first scenario, Aave’s Umbrella security module contains $54 million available for deployment as a safety net. This protection would not be applicable under the second scenario.

Aave emphasized that the ultimate resolution hinges on Kelp DAO’s approach to updating rsETH accounting mechanisms and oracle exchange rate calculations. The Aave DAO currently holds $181 million in treasury reserves and has secured pledges from ecosystem stakeholders to provide additional support should bad debt materialize.

As of Monday, Kelp DAO confirmed it continues evaluating the financial ramifications and has yet to announce its loss allocation strategy or recovery framework.

The post $292M Kelp DAO Security Breach Leaves Aave Facing Massive Bad Debt Exposure appeared first on Blockonomi.