Share
A cross-chain exploit tied to KelpDAO’s rsETH token has left Aave facing potential bad debt of up to $230 million, but the structure of the incident shows a critical distinction. The lending protocol didn’t fail. Instead, it absorbed risk created elsewhere, raising a broader question about how DeFi handles external dependencies.
The attack began on April 18, when a forged cross-chain message allowed the release of 116,500 rsETH without locking assets on the source chain. The attacker then deposited 89,567 rsETH into Aave and borrowed roughly $190 million in ETH and related assets.
Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate.
We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.
We will keep you…
— Kelp (@KelpDAO) April 18, 2026
This created a collateral mismatch, where assets appearing valid inside Aave were not fully backed externally.
According to a joint report by Aave Labs and risk provider LlamaRisk, the protocol’s contracts and liquidation systems continued to operate normally throughout the event.
Aave responded within hours by freezing rsETH markets, setting loan-to-value ratios to zero, and halting further borrowing against the asset.
Update on rsETH incident:
WETH reserves on the Ethereum Core V3 market have been unfrozen and users can supply WETH to Ethereum Core V3 again. WETH LTV remains at 0.
WETH reserves on Ethereum Prime, Arbitrum, Base, Mantle, and Linea remain frozen.
Aave service providers will…
— Aave (@aave) April 21, 2026
Bad debt depends on KelpDAO loss allocation
The scale of losses now depends on how KelpDAO distributes the shortfall.
Two scenarios define the range:
- Around $123 million in bad debt if losses are spread across all rsETH holders.
- Up to $230 million if losses remain isolated to Layer 2 deployments.
Register and unlock all content immediately
The key difference lies in how those losses are distributed. A uniform loss reduces impact per token, while isolating losses concentrates damage on smaller liquidity pools such as Arbitrum and Mantle.
Around $6 billion in total value locked (TVL) was withdrawn from Aave following the incident, based on on-chain estimates cited in the report.
Aave currently has $6 billion in stablecoins lying completely idle.
That accounts for nearly 30% of its total deposits.
The upcoming Aave V4 aims to fix this capital efficiency pain point by introducing a Reinvestment Module.
Take 1 minute for an objective breakdown of V4’s core… https://t.co/BZivNwe9x0 pic.twitter.com/ij19WPFEh7— Lady M (@CryptoLady_M) March 26, 2026
Aave balance sheet and DeFi resilience in focus
Despite the exposure, Aave’s financial position remains central to the debate.
The DAO treasury holds about $181 million in assets, and service providers have already begun coordinating with ecosystem participants to cover potential shortfalls. This points to a focus on loss containment rather than systemic stress.
Haseeb Qureshi, managing partner at Dragonfly, pointed to past crises to frame the current event. He referenced the March 2020 liquidation failures, the Terra collapse in 2022, and the stETH depeg in the same year, arguing that DeFi has historically strengthened after each disruption.
DeFi learns through failures. Whether it's from the collapse of Terra, broken auctions during Black Friday in 2020, or the stETH depeg in 2022, it has failed over and over again–but with every failure, it improves.
People talk all sorts of shit about this, but it's no different…
— Haseeb >|< (@hosseeb) April 20, 2026
His assessment highlights a key point. At the same time, the scale of potential losses highlights how quickly external failures can translate into protocol-level risk.
External dependencies remain DeFi’s weakest link
The incident exposes a recurring pattern. Aave’s risk didn’t come from its own code, but from assumptions about external systems.
The rsETH bridge relied on a validation setup that allowed a forged message to pass as legitimate. Once that assumption broke, downstream protocols inherited the risk.
This raises a harder question for DeFi. If collateral can appear valid while lacking real backing, where should responsibility sit?
Aave’s role in this case looks closer to a liquidity layer reacting to external failure, not the origin of the problem.
What happens next depends on decisions outside Aave
The outcome now hinges on KelpDAO’s approach to loss allocation and recovery. Governance actions, potential recapitalization, and coordination across protocols will define how much of the exposure materializes.
For Aave, the key test isn’t whether losses occur, but how effectively they are contained.
The protocol has faced similar stress before. The difference this time is not the scale of risk, but its origin.
Share
