Alvin Lang
Apr 21, 2026 04:27
LlamaRisk outlines eventualities for allocating losses from the $293M Kelp DAO exploit, with Aave going through as much as $230M in dangerous debt relying on Kelp’s resolution.
Aave’s danger administration arm has laid out two eventualities for absorbing the fallout from Saturday’s $293 million Kelp DAO exploit—and the distinction between them is stark. One path leaves Aave with $123.7 million in dangerous debt. The opposite? A $230.1 million gap.
LlamaRisk revealed its evaluation Monday, three days after hackers drained 116,500 rsETH tokens from Kelp DAO’s LayerZero-powered bridge and instantly used them as collateral on Aave V3 to borrow wrapped Ether. The transfer created a cascading downside: stolen tokens backing actual loans that debtors don’t have any intention of repaying.
The Numbers That Matter
State of affairs one spreads losses throughout all rsETH holders on Ethereum mainnet and layer 2s. Dangerous debt: $123.7 million. The tradeoff? A roughly 15% depeg in rsETH relative to ETH. LlamaRisk notes that wETH reserves would “take up the majority in absolute phrases however barely discover it relative to order depth.”
State of affairs two concentrates your complete shortfall on layer 2 networks like Arbitrum and Mantle. Dangerous debt jumps to $230.1 million—practically double.
The ultimate name rests with Kelp DAO, not Aave. That is chilly consolation for Aave depositors watching the protocol hemorrhage capital. For the reason that exploit, practically $10 billion in whole worth has exited Aave.
What Aave Has to Work With
The protocol is not defenseless. LlamaRisk flagged that 18,922 aWETH tokens price roughly $43.7 million have already entered the unstaking cooldown part beneath Aave’s Umbrella safety mannequin—funds that would cowl partial losses beneath the primary situation.
Aave’s treasury holds round $181 million, theoretically sufficient to handle a shortfall beneath both situation. Whether or not governance would approve such a deployment is one other query solely.
How the Exploit Occurred
Kelp DAO offered extra particulars Monday. Attackers compromised two validator nodes tied to LayerZero’s bridge infrastructure whereas hitting a 3rd with a DDoS assault. This allowed them to forge a switch message that the system permitted as authentic, minting 116,500 rsETH on the bridge.
The foundation trigger, in accordance with earlier stories citing LayerZero: a 1-of-1 Decentralized Verifier Community configuration. One compromised node was all it took.
Kelp’s group moved shortly after detection, pausing contracts throughout Ethereum and layer 2s and blacklisting exploiter wallets. That intervention reportedly prevented one other 40,000 rsETH ($95 million) from being stolen.
What Occurs Subsequent
Kelp DAO says it is nonetheless assessing the monetary impression and dealing with Aave, LayerZero, and different stakeholders on a restoration path. No timeline for unpausing the protocol has been introduced.
For merchants, the fast concern is rsETH pricing. A 15% depeg beneath situation one would create arbitrage alternatives—but additionally entice anybody holding rsETH as collateral elsewhere in DeFi. The contagion danger that made this exploit so damaging is not over; it is simply ready on a governance resolution.
Picture supply: Shutterstock
