Aave is grappling with potential losses that could reach $230 million due to an exploit involving the Kelp DAO and LayerZero bridge that occurred over the weekend. A report from Aave Labs and LlamaRisk highlights the severity of the situation, which centers on the liquid restaking token, rsETH.
The exploit took advantage of a flaw in the bridge mechanism that allows rsETH to be transferred across blockchains. An attacker forged a transfer message that the system mistakenly approved, resulting in the creation of 116,500 rsETH without actual backing.
Instead of liquidating the stolen assets, the attacker deposited 89,567 rsETH as collateral on Aave and borrowed approximately $190 million in ETH and related assets from both Ethereum and Arbitrum. This maneuver has left Aave vulnerable, as the collateral may not be fully secured.
In response to the incident, Aave Labs acted swiftly to mitigate risk by freezing rsETH markets, setting loan-to-value ratios to zero, and halting new borrowing against the affected asset. The final impact on Aave will depend on how Kelp DAO chooses to address the resulting shortfall.
If losses are distributed among all rsETH holders, Aave could face about $124 million in bad debt, leading to an estimated 15% depegging of the token. However, if losses are confined to Layer 2 networks, the bad debt could escalate to approximately $230 million, particularly affecting networks like Arbitrum and Mantle.
The exploit was rooted in vulnerabilities in Kelp’s cross-chain message verification process using LayerZero. Although LayerZero itself was not hacked, the incident exposed flaws in Kelp’s validation methods, allowing the attacker to misrepresent the backing of certain assets.
This situation has raised alarms regarding the collateral backing positions on Aave, increasing the risk of undercollateralized loans. Following the exploit, users withdrew around $6 billion in total value locked from Aave, reflecting a significant pullback as participants reassessed their exposure amid uncertainty.
The report indicates that Aave’s DAO treasury currently holds about $181 million in assets, and discussions are ongoing with ecosystem participants to address the potential losses. Kelp has yet to clarify its strategy for handling the shortfall, leaving Aave’s ultimate exposure uncertain as the situation develops.
Aave is facing potential losses of up to $230 million due to an exploit involving Kelp DAO and LayerZero. The incident has raised concerns about collateral risk and led to significant withdrawals from the platform.