Aave has frozen all markets for KelpDAO’s rsETH and its wrapped version wrsETH across every deployment after an exploit led to roughly $292 million in unbacked tokens being created through KelpDAO’s LayerZero cross-chain bridge. All other Aave lending pools remain live and fully operational, with the impact contained to rsETH-linked markets and the associated bad debt.
Emergency freeze isolates risk to rsETH
The Guardian team overseeing Aave said it triggered the protocol’s emergency controls on April 19 after receiving early warnings of a potential rsETH exploit. The action:
- halted new deposits of rsETH and wrsETH
- blocked new borrowing positions using rsETH as collateral
- left existing rsETH positions unchanged
On Aave’s latest version, the Security Council also disabled all new supply and borrowing functions tied to rsETH. These configuration changes were executed via the Core Hub and the Kelp E Spoke, effectively ring-fencing the compromised asset without suspending broader market activity.
How the exploit unfolded
The incident did not stem from a flaw in Aave’s core contracts, but from KelpDAO’s infrastructure:
- the exploit originated in KelpDAO’s LayerZero-based cross-chain bridge
- the attacker was able to mint around 116,500 unbacked rsETH tokens
- at the time, these tokens were valued at about $292 million, around 18% of rsETH’s circulating supply
The attacker then deposited these fraudulent rsETH tokens as collateral on Aave V3 and V4 markets on both Ethereum and Arbitrum. Using this effectively worthless collateral, the exploiter borrowed real assets, including:
- approximately 83,427 units of Wrapped Ether (WETH) and wrapped staked Ether (wstETH)
This left Aave with an estimated $177 million to $200 million in bad debt, making it the largest decentralized finance exploit reported in 2026 so far.
Preliminary analysis suggests the root cause may have been a private key leak on the source chain, which allowed the attacker to push trusted but malicious messages through the bridge.
Aave protocol remains intact, but faces bad debt
Aave’s team emphasized that:
- the core lending and borrowing logic for non-rsETH assets was not compromised
- the vulnerability was external, sitting in the cross-chain bridge supporting KelpDAO’s rsETH
- the emergency freeze was a defensive step to prevent further borrowing against the compromised token
Following the news, the AAVE token dropped about 10% in short order, reflecting market concern about the scale of the unrecoverable debt and the possibility of future recapitalization measures.
Joint investigation underway
KelpDAO, LayerZero, and related development teams have launched a joint investigation to identify the precise source of the vulnerability and assess ongoing risk. Coordination between these teams and Aave’s Guardian and Security Council groups is ongoing, with the immediate priority being:
- confirming that the exploit path is fully closed
- ensuring that no additional assets connected to the same infrastructure are exposed
Further technical disclosures are expected as the investigation progresses.
DeFi’s structural risk exposed
The case highlights a recurring structural issue in decentralized finance:
- primary protocols depend on external assets and bridges for collateral and liquidity
- a flaw or misconfiguration in an integrated asset, such as rsETH, can transmit risk into the host protocol
- cross-chain bridges and multi-layer instruments like liquid restaking tokens remain high-complexity, high-risk components
In this instance, Aave’s emergency controls limited the fallout to a single asset layer, preventing broader disruption across its lending markets. Without a fast freeze, the attacker could have potentially expanded borrowing and deepened the bad debt.
What traders should watch next
Those active in these markets are focusing on several key developments:
- official updates: monitoring statements from KelpDAO, LayerZero, and Aave’s development and governance bodies
- governance proposals: watching for any plans to use Aave’s safety module or other reserves to cover part or all of the bad debt, which could affect token holders
- risk frameworks: assessing how Aave and other platforms may tighten listing standards, collateral parameters, and bridge dependencies for complex assets
Participants with exposure to affected WETH and wstETH pools are closely tracking liquidity conditions and any knock-on effects from forced unwinds or risk parameter changes.
Outlook for collateral onboarding and bridge security
The exploit is likely to accelerate changes in how major protocols onboard and manage collateral:
- stricter due diligence on bridged and restaked assets
- higher collateral haircuts or limits for tokens relying on external bridge or restaking infrastructure
- greater emphasis on key management, message validation, and fail-safe mechanisms in cross-chain designs
For now, Aave’s core markets continue to operate, but the platform faces a large debt overhang and a renewed debate over how integrated DeFi systems should price and manage the risk of third-party infrastructure failures.
Worried about hacks and bad debt risks? Strengthen your defenses by understanding crypto safety in this essential guide today.
Disclaimer: The content on this page is provided for general informational purposes only and does not represent the views or financial advice of Toobit. We make no guarantees regarding the accuracy or completeness of this information and shall not be held liable for any errors, omissions, or outcomes resulting from its use. Investing in digital assets involves risk; users should independently evaluate their financial situation and the risks involved. For further details, please consult our Terms of Service and Risk Disclosure.
