Massive $292 Million Heist Strikes Kelp DAO, Wipes Out rsETH Holdings, Prompting Aave to Lock Down Vulnerable Investment Pools

A devastating cyber attack has struck Kelp DAO, a liquid restaking protocol, resulting in a staggering loss of approximately $292 million. This massive exploit was initially detected by renowned blockchain investigator ZachXBT on April 18 at 2:52 PM. The attacker cleverly manipulated LayerZero's cross-chain messaging system, deceiving it into verifying a fake transfer request from another network. This led to the unauthorized transfer of 116,500 rsETH tokens, which are valued at around $292 million, according to on-chain data. This exploited amount accounts for roughly 18% of the total circulating supply of 630,000 rsETH tokens.

In response to the attack, Kelp DAO swiftly activated its emergency protocols, immediately halting rsETH deposits and withdrawals. The protocol is currently collaborating with LayerZero and Unichain to address the issue. Kelp DAO announced on X that it had identified suspicious cross-chain activity involving rsETH and had paused rsETH contracts on mainnet and several layer 2 networks while conducting an investigation. The protocol is working closely with top security experts, auditors, and partners, including LayerZero and Unichain, to conduct a root cause analysis.

The situation escalated as the stolen funds were diverted into various lending protocols, including Aave V3, Compound V3, and Euler. The attacker used the stolen rsETH as collateral to borrow substantial amounts of wrapped ETH, amassing over $236 million in debt positions. On-chain data reveals that the attacker consolidated around 74,000 ETH post-exploit, generating a staggering $280 million in bad debt across these protocols.

As a result, Aave suspended the rsETH markets on both Aave V3 and Aave V4, confirming that its smart contracts were not compromised and that the issue originated from the rsETH token. Aave is currently reviewing rsETH-backed loans opened after the exploit to assess potential exposure and is exploring measures to address any resulting bad debt. The project stated that it would evaluate the impact of the exploit on its protocol and take necessary steps to mitigate any potential risks.

Other protocols, such as SparkLend and Fluid, took similar precautions, with SparkLend reporting zero rsETH exposure due to its conservative risk management approach. Lido Finance paused deposits into its earnETH product, which has exposure to rsETH, while emphasizing that its core staking protocol and the stETH token were not affected. Ethena, a stablecoin issuer, temporarily shut down its LayerZero bridges from the Ethereum mainnet as a precautionary measure, despite having no rsETH exposure and maintaining over 101% collateralization.

The aftermath of the attack has had a significant impact on the market, with Aave's token price dropping by approximately 10% according to CoinGecko. This attack is the largest DeFi exploit of the year to date and comes on the heels of a series of smaller attacks on protocols such as CoW Swap, Zerion, Rhea Finance, and Silo Finance. Just weeks ago, Solana-based perpetuals protocol Drift Protocol suffered a targeted administrative breach, resulting in a loss of around $285 million, which was later linked to North Korea-affiliated actors. This latest attack on Kelp DAO has raised concerns about the security of DeFi protocols and the need for increased vigilance in the industry.