KelpDAO's cross-chain fraud went wrong, leaving AAVE as the "foot of the bill," prompting industry calls for a repricing of risk.

Jae
Jae
  • In April, the crypto industry faced multiple security incidents, with KelpDAO losing $292 million due to a single-point verification vulnerability in LayerZero's cross-chain bridge, marking the largest on-chain security event of 2026.
  • The attack caused nearly $200 million in bad debt on Aave, leading to AAVE token declines and $6.6 billion capital outflow, highlighting DeFi risk management flaws.
  • The incident prompts industry shifts towards isolated lending pools, mandatory insurance modules, and risk repricing of DeFi assets, emphasizing security over yield.
Summary

Author: Jae, PANews

The crypto industry in April was turbulent. Shortly after Drift, the leading DEX in the Solana ecosystem Perp, suffered a "Friday Night Marathon" with $285 million stolen, the market was plunged into a "bungee jump"-like market for RAVE.

Just as RAVE fever was subsiding, the DeFi market was hit hard by the hacking of KelpDAO, Ethereum's leading LRT (liquidity restaking) protocol.

On April 18, KelpDAO was compromised by hackers exploiting a vulnerability in its LayerZero-based cross-chain bridge, resulting in the illegal withdrawal of approximately 116,500 rsETH, a loss of up to $292 million. This theft was even more severe than that of Drift, making it the largest on-chain security incident so far in 2026.

The hackers did not break the mainnet staking contract or leak private keys; it was just a tiny crack in cross-chain verification that triggered the combined risks of DeFi.

With the leverage of re-staking combined with the ambition of multi-chain expansion, after three years of sprinting down the road of "yield priority", DeFi is once again facing the soul-searching question of "yield first" versus "security first".

A single sign-on vulnerability triggered the LRT crisis, with KelpDAO suffering a loss of nearly $300 million.

The protagonist of the theft incident, KelpDAO, was once a star driver on the LRT track.

Its business logic precisely addresses market pain points, creating a "three-in-one" model. Users can encapsulate LST (liquidity staking) assets such as stETH and rETH into rsETH, which not only retains the basic returns from ETH staking but also adds EigenLayer's restaking rewards, and allows them to use rsETH across various DeFi lending and mining scenarios.

In order to seize market share, KelpDAO has aggressively expanded to 16 public chains. With its high yield and high liquidity, rsETH has become the mainstream collateral asset for major Layer 2 and Aave blockchains, deeply embedded in the Ethereum DeFi ecosystem.

This multi-chain architecture relies heavily on the underlying cross-chain communication protocol provided by LayerZero, which became the epicenter of the disaster.

On April 20th, LayerZero published a recap of the incident, stating that KelpDAO was attacked, resulting in a loss of approximately $290 million. Initial indications suggest that the attack may have been carried out by a highly sophisticated state actor, most likely North Korea's Lazarus Group, more specifically TraderTraitor. Because KelpDAO uses a single-signature setup, the incident was limited to its rsETH configuration and did not affect any other cross-chain assets or applications.

Meanwhile, LayerZero acknowledged that KelpDAO was using only a 1/1 DVN configuration, posing a "single point of failure," and is contacting all applications using a 1/1 DVN configuration to migrate to a multisignature setup with redundancy. However, LayerZero also bears some responsibility for not previously urging KelpDAO to make changes or enforce multisignature configuration.

Hackers targeted LayerZero's downstream infrastructure, compromising two separate nodes and causing DVN to confirm transactions that never occurred.

According to LayerZero, hackers compromised two separate nodes by obtaining the list of RPCs used by LayerZero Labs DVN and replaced the op-geth binary. At the same time, they launched a DDoS attack on the uninfected RPCs to trigger a failover, causing DVN to confirm transactions that never occurred.

In short, the hacker activated rsETH extraction privileges "out of thin air".

What's even more frightening is that if the emergency blacklist mechanism hadn't been triggered in the last 3 minutes, the hackers would have taken an additional $100 million, bringing the total loss to over $400 million.

This bombshell was foreshadowed long ago.

The hackers' attack path directly targets a common industry problem: the vulnerability of the protocol verification mechanism.

In its fervent pursuit of cross-chain efficiency, KelpDAO ignored its long-standing single point of verification problem, ultimately becoming a vulnerability for hackers.

This is not the first time KelpDAO has exposed security issues. Last May, due to a unit scaling error during a contract upgrade, the protocol minted 31.2 quintillions (50 quadrillion) of rsETH. Although the coins were destroyed in time and no loss was caused, it had already exposed its security vulnerabilities.

The intense competition in the re-staking sector has made security a casualty. In order to continue to expand its scale, KelpDAO is constantly adding new LST assets and expanding new L2 networks. However, with each additional chain and asset, the attack surface expands exponentially.

As a seasoned DeFi player pointed out, the customer acquisition cost of TVL for L2 is expected to increase further, and a large amount of TVL will flow back to L1.

The "double-edged sword" of multi-chain expansion ultimately becomes a sharp blade that pierces through the protocol itself and the entire DeFi ecosystem.

Aave was poisoned by rsETH, triggering a $6.6 billion capital flight due to $200 million in bad debts.

DeFi is like Lego bricks; if one breaks, the whole thing collapses.

After obtaining the illicit rsETH, the hackers did not dump it on the DEX directly. Instead, they adopted an " asset poisoning" strategy: depositing rsETH as "high-quality collateral" into Aave to obtain real, highly liquid assets.

Aave V3/V4 accepts rsETH as eligible collateral on Ethereum and Arbitrum. Hackers deposit rsETH and borrow large amounts of WETH, USDC, and USDT, turning illicit assets into bad debts for the protocol.

According to Chaos Labs' estimates, Aave faces bad debts far exceeding market expectations, approaching $200 million.

Following the bad debt news, AAVE tokens quickly fell by about 18%.

Since the end of last year, Aave seems to have been experiencing a severe run of bad luck. After a series of governance crises and a wave of service providers leaving, it has now become the best liquidity outlet for hackers due to its integration with the rsETH-related market.

The exposure of on-chain data further fueled the fire against Aave.

Justin Sun was detected to have urgently redeemed 53,665 ETH from Aave, worth $126 million. His withdrawal is seen as a bellwether of whales losing confidence in the protocol's security.

This was followed by a massive capital flight across the entire market. DeFiLlama data shows that Aave recorded a net outflow of $6.6 billion in a single day, a sharp decrease of 23% in its fund size.

Although the fundamental problem was not caused by Aave, this incident is a profound test of its risk management mechanism.

Some users pointed out that community members publicly warned about the single point of verification risk of KelpDAO on the Aave governance forum as early as 15 months ago. However, the Aave team has not proposed any solutions.

In contrast, Spark delisted rsETH in January of this year. DeFi researcher CM bluntly stated: The entire Sky system adopts a proactive and tightening risk control philosophy, which may lead to slower protocol development, but it has demonstrated its value at critical moments.

Justin Sun's 53,600 ETH were also deposited into Spark. Within two days, Spark tokens surged by over 50%, a stark contrast to AAVE.

Todd, co-founder of Nothing Research, believes that Aave may activate its "Umbrella" insurance module in response to nearly $200 million in bad debts.

While the Umbrella module provides the first line of defense, its fund size is clearly insufficient to fully cover the approximately $200 million in asset losses.

In the short term, Aave's self-rescue efforts are only a delay in the crisis, not a proper solution. The main shortfall still needs to be made up through Aave's protocol profits or token issuance. Specific solutions will be left for further discussion within the community.

Isolation pools, mandatory insurance, and risk repricing mean there's no longer a "free lunch" when it comes to safety.

The KelpDAO incident marks the official end of the LRT craze, and the DeFi market will usher in three irreversible risk control changes.

Segregation of the lending market: Aave's non-segregated lending model is becoming a thing of the past, with assets confined to completely independent "siloed pools." Even if a single asset encounters a problem, it will not affect assets existing in other liquidity pools.

Curve founder Michael Egorov pointed out in an article that while non-segregated lending models have good scalability, they also carry higher risks, and he suggested that the market adopt a fully segregated or hybrid model.

While a fully isolated architecture may reduce capital efficiency, it will significantly enhance the system's resilience to risks.

Mandatory Insurance Module: The Umbrella module will drive the transition of agreement insurance from an "optional configuration" to a "mandatory component".

In the future, any new assets that want to be listed on mainstream lending platforms such as Aave may be required to deposit a certain percentage of collateral into the corresponding vault as the primary source of compensation in the event of default or theft in the relevant market.

DeFi asset risk repricing: OneKey founder Yishi bluntly stated that the returns and risks of DeFi are currently completely disproportionate, and security has rigid costs.

The market will reprice risks. There will be upward pressure on agreement rates and infrastructure costs, otherwise security investments will not be able to be sustained.

Therefore, DeFi assets need to be repriced based on their underlying security. The risks of encapsulated assets like LRT are significantly higher than those of the native assets, and lending platforms should factor the risk discount of encapsulated assets into their risk control models.

The KelpDAO hack is a cruel mirror, reflecting the collective disregard for security in the pursuit of maximum returns and multi-chain expansion in DeFi.

The loss of nearly $300 million is costly, but if it can prompt DeFi to shift from blindly pursuing composition to pursuing stability, then this may be the tuition fee that the industry must pay to mature.

In the aftermath of the KelpDAO incident, the market gradually realized that the true value of DeFi lies in providing a more transparent, secure, and resilient financial infrastructure.

When the tsunami recedes, what remains will be an even more solid foundation.

Share to:

Author: Jae

Opinions belong to the column author and do not represent PANews.

This content is not investment advice.

Image source: Jae. If there is any infringement, please contact the author for removal.

Follow PANews official accounts, navigate bull and bear markets together
Telegram Discussion Group
Telegram News Channel
@PANews
Recommended Reading
PA一线

PA一线

Important information from last night and this morning (February 25-February 26)
深潮TechFlow

深潮TechFlow

An open-source AI tool that nobody paid attention to alerted about a $292 million vulnerability in Kelp DAO 12 days ago.
深潮TechFlow

深潮TechFlow

With three core team members "defecting" within two months, who will bail out Aave during the bear market?
Jae

Jae

Drift's "Fourth Day Heist" resulted in the theft of nearly $300 million, and the Solana ecosystem suffered a major blow during the bear market.
Frank

Frank

$128 million stolen, 27 forked protocols caught in the crossfire: Three lessons the Balancer incident offers to DeFi.
深潮TechFlow

深潮TechFlow

Six incidents in five years resulted in losses exceeding 100 million RMB: A review of the hacker history of Balancer, a veteran DeFi protocol.

Popular Articles

Industry News
Market Trends
Curated Readings
Subscribe
PANews App
24/7 blockchain news tracking and in-depth analysis.
Download PANews App
App StoreGoogle Play
PANews APP
Yi Lihua: I expected Bitcoin to rebound to $85,000, and any further significant pullback would be the last chance to buy the dip.
PANews Newsflash