$290M Hack on Aave, Kelp DAO and LayerZero
The rsETH incident involving Aave, Kelp DAO, and LayerZero is one of the clearest DeFi lessons in 2026.
This was not a smart contract hack. It was a failure in cross-chain trust.
An attacker exploited Kelp DAO’s rsETH bridge and minted about 116,500 rsETH, worth roughly $290 million, without real backing. These tokens were then deposited into Aave as collateral. Because they looked valid on-chain, the attacker was able to borrow real assets like WETH and exit. This left Aave with more than $200 million in bad debt.
The root cause was not Aave or LayerZero. It was how the bridge was configured. Kelp DAO used LayerZero for messaging, but the app defines what counts as a valid message. In this case, that setup was too weak. It likely relied on a single verifier or a compromised key. A forged message was accepted, and unbacked rsETH was minted.
Aave worked as designed. It accepted the collateral because it appeared legitimate. Once the attacker borrowed funds, there was no way to liquidate the position because the collateral had no real value. Aave moved quickly to freeze markets and contain the risk, but the borrowed funds are gone.
There is still no final decision on how the bad debt will be covered. Options include recovery from Kelp DAO, partial coverage through Aave’s safety mechanisms, or a governance decision by the Aave DAO to decide how losses are shared.
The key lesson is simple. Security in DeFi is no longer just about code. It is about trust assumptions. Infrastructure like LayerZero is flexible, but that means projects are responsible for their own security setup.
It is no longer enough to ask if a protocol is safe. The real question is whether the collateral is actually real. In a composable system, once that breaks, the impact spreads fast.
---
Source:
https://x.com/aave/status/2046321565197905982
https://x.com/KelpDAO/status/2046332070277091807
https://x.com/LayerZero_Core/status/2046081551574983137
