Risk managers have laid out two ways the bad debt from the Kelp DAO exploit could affect Aave, depending on how losses are allocated.
The attack began when 116,500 rsETH (restaked ETH) tokens—roughly $293 million—were minted or stolen via a LayerZero-powered bridge and used as collateral on Aave V3 to borrow wrapped Ether (wETH). In the wake of the exploit, nearly $10 billion in value has left Aave, highlighting contagion risks in tightly connected DeFi systems.
LlamaRisk modeled two scenarios; the final approach to losses is ultimately up to Kelp DAO and its partners.
Scenario 1 — Losses shared by all rsETH holders:
– Losses are distributed pro rata across rsETH holders on Ethereum mainnet and layer 2s.
– Estimated bad debt hitting Aave: about $123.7 million.
– rsETH could depeg roughly 15% versus ETH under this outcome.
– wETH would take the largest absolute hit but is likely to absorb much of it given reserve depth.
– Aave’s Umbrella security model could be used to cover wETH shortfalls; there are currently 18,922 aWETH (~$43.7 million) in the unstaking cooldown period.
Scenario 2 — Losses concentrated on layer 2s:
– The entire shortfall would fall to L2 networks such as Arbitrum and Mantle.
– Estimated bad debt on Aave: about $230.1 million, materially higher than in scenario 1.
Aave’s treasury also holds roughly $181 million that could be deployed to address any shortfall.
Kelp DAO says it is assessing the financial impact and coordinating with Aave, LayerZero and other stakeholders on a safe plan to unpause the protocol. According to Kelp, two nodes tied to the LayerZero bridge were compromised and a third was targeted by a denial-of-service attack; the attacker forged a transfer message the bridge accepted, enabling the minting of the 116,500 rsETH. Kelp paused affected contracts on Ethereum and layer 2s and blacklisted wallets linked to the exploiter, which prevented the theft of an additional ~40,000 rsETH (about $95 million). The DAO continues to evaluate remediation options and collaborate with partners.
The incident underscores how allocation decisions — whether losses are socialized across token holders or concentrated on specific networks — will determine the scale of Aave’s exposure and the broader DeFi fallout.