DeFi Protocols Face $230mn Losses After Kelp Exploit

The breach triggered more than $6bn in outflows from Aave (AAVE), pushing its total value locked (TVL) down sharply from $26bn to roughly $20bn.

The AAVE token fell nearly 25% between 17 and 20 Apr to as low as $87 as depositors rushed for the exits. 

"Aave's contracts have not been exploited and this is an exploit related to rsETH," said Aave founder Stani Kulechov shortly after the incident. The attack, the largest onchain exploit of 2026 so far, has left protocols confronting potential bad debt of up to $230mn and exposed persistent weaknesses in cross-chain infrastructure.

Kelp DAO issues rsETH, a liquid restaking token that lets users earn enhanced yields on staked ether through EigenLayer. The platform lost about 116,500 rsETH – roughly 18% of its circulating supply – when attackers exploited a LayerZero-powered bridge. They then deployed the unbacked tokens as collateral across lending venues, including Aave (AAVE), to borrow large volumes of wrapped ether (WETH) and create substantial bad debt.

North Korean tactics, bridge vulnerability

LayerZero attributed the breach with high confidence to TraderTraitor, a subunit of the North Korea-backed Lazarus Group. Attackers compromised two remote procedure call (RPC) nodes feeding LayerZero’s decentralized verifier network, replaced software with malicious versions and launched a DDoS attack on legitimate nodes to force failover. This enabled them to forge a cross-chain message, tricking Kelp into releasing the funds.

The exploit succeeded in part because Kelp used a single-verifier (1-of-1) configuration on the affected route, a setup LayerZero had advised moving away from in favour of multi-verifier redundancy. Kelp disputed elements of the post-mortem, stating its configuration matched default onboarding guidance. The group paused deposits, withdrawals and oracle functions immediately and is working with LayerZero, Unichain, auditors and security teams on recovery.

This incident echoes the early-April attack on Solana-based perpetuals platform Drift, which also lost around $285mn to North Korean actors through social engineering and privileged access. Combined, the two operations have extracted more than $575mn from DeFi in under three weeks.

Widespread contagion, market reaction

At least nine protocols moved quickly to contain the fallout. Aave (AAVE) froze rsETH markets on its V3 and V4 deployments, while SparkLend, Fluid (FLUID), Upshift, Compound (COMP), Euler (EUL)  and others paused or limited exposure. WETH reserves faced freezes across Ethereum and multiple layer-2 networks, including Arbitrum (ARB), Base (BASE) and Mantle (MNT).

Broader DeFi total value locked declined by more than $10bn in two days amid the liquidity crunch. Aave’s WETH utilization spiked to 100% in affected pools as liquidations rippled through the system. rsETH held limited borrowing power in certain deployments, yet the speed of the flight highlighted deep interdependencies.

Paths to absorb bad debt

Aave risk manager LlamaRisk outlined two main scenarios in its report. One route would socialize losses across the rsETH supply, imposing a 22-day WETH cooldown and temporary depeg, with roughly $124mn in bad debt absorbed primarily by Ethereum’s larger treasury. The alternative would see impacted layer-2 networks collectively shoulder about $230mn from their individual reserves to preserve WETH’s peg.

Kelp is exploring measures to address the shortfall among token holders. Onchain tracing continues, with some funds reportedly routed through privacy tools such as Tornado Cash. Full recovery prospects remain uncertain.

Urgent need for bridge security reforms

Cross-chain bridges and messaging protocols like LayerZero have become high-value targets as DeFi expands across more than 20 networks. The incident reveals risks from single points of failure in RPC infrastructure and the importance of robust verifier redundancy. LayerZero has indicated it will stop supporting 1-of-1 configurations going forward.