A vulnerability in Kelp DAO’s cross-chain bridge infrastructure led to the unauthorized creation of around $292 million worth of rsETH on April 18, in what is now the largest decentralized finance exploit of 2026. The incident later resulted in roughly $177–$200 million in bad debt on a leading lending protocol, according to Sonic Labs co‑founder Andre Cronje.
Bridge flaw, not core protocol, enabled rsETH mint
The attacker did not breach Kelp DAO’s main protocol contracts. Instead, they targeted the LayerZero-powered bridge used to move rsETH across networks.
On-chain data indicates the attacker exploited a logic flaw in the bridge to mint 116,500 rsETH without posting any collateral. That figure represents about 18% of rsETH’s circulating supply of around 630,000 tokens.
Kelp DAO paused its core contracts 46 minutes after the initial exploit, blocking two further attempts that could have drained an additional $100 million.
Turning illiquid rsETH into liquid ETH via lending markets
With a large amount of unbacked rsETH in hand, the attacker used composability between protocols to convert the worthless tokens into valuable assets.
They deposited the exploited rsETH as collateral into the Aave lending protocol on both Ethereum and Arbitrum. From there, they borrowed high-liquidity assets including 83,427 Wrapped Ether (WETH) and Wrapped Staked Ether (wstETH), effectively transforming the uncollateralized rsETH into transferable, liquid funds.
Because rsETH markets lacked depth and could not absorb large liquidations, the lending protocol was left with significant unrecoverable debt once the attacker withdrew the borrowed ETH and derivatives.
Estimated $177–$200 million exposure, AAVE token falls
Analysts now estimate the lending platform’s exposure between $177 million and $200 million. The event triggered a sharp market reaction: the AAVE token price fell by roughly 10%–15% in the hours after the exploit became public.
In response, Aave froze rsETH markets on its V3 and V4 deployments, preventing any new borrowing or collateral activity involving the compromised asset.
Cronje: Overcollateralized positions, but no user reimbursement mechanism
Commenting on April 19, Cronje said the ETH borrowing positions created by the attacker were technically overcollateralized at the time they were opened, in line with the protocol’s risk parameters. He noted that internal safety modules exist to act as a first line of defense against bad debt.
However, he also stressed that the protocol does not have a built‑in mechanism to directly reimburse users in the event of severe losses. Under extreme stress, this could translate into liquidity shortages if large withdrawal demands exceed available funds.
Lending platform liquidity remains deep, but thresholds triggered
Current data shows the lending protocol still holds about $7 billion in ETH, against roughly $100 million in withdrawals linked to the event and around $17 million exposure from the put position described by Cronje. These figures suggest the immediate system-wide impact remains limited relative to total liquidity.
Even so, Cronje said his team pulled all ETH associated with their own protocol from the lending market once available liquidity declined below internal safety thresholds. He characterized the move as a pre‑emptive risk‑management step to shield his protocol from any secondary liquidity stress.
Infrastructure failure, not smart contract bug, at rsETH level
Preliminary assessments indicate the root cause lies in rsETH’s core infrastructure rather than a fault in the lending protocol’s smart contracts. The exploit has been linked to either compromised private keys or operational misconfiguration within Kelp DAO’s cross‑chain bridge setup.
The attacker’s method — minting unbacked rsETH, then using it as collateral to borrow highly liquid assets elsewhere — highlights how a failure in one piece of infrastructure can propagate into losses on another, otherwise robust, platform.
Defi composability: key strength and systemic risk
The incident underscores a central paradox of decentralized finance. Protocol composability — the ability to stack services such as bridges, restaking assets, and lending markets — enables powerful new financial structures. It also tightly couples the security of each component.
In this case, a single cross‑chain bridge vulnerability allowed the creation of unbacked tokens that then flowed into a major lending protocol, generating systemic stress and lasting bad debt without any direct flaw in that lending protocol’s own code.
Focus shifts to risk containment and liquidity management
Cronje, who has navigated prior protocol failures in earlier defi cycles, framed his response as part of a broader push toward risk containment and liquidity discipline. His actions, along with rapid freezes by both Kelp DAO and Aave, reflect a growing recognition that operational lapses — not just code exploits — can trigger widespread disruption.
For traders and protocol operators, the rsETH incident is likely to sharpen scrutiny on cross‑chain bridges, collateral standards, and the concentration of risk across interconnected decentralized systems.
Concerned about DeFi security after this exploit? Learn how to protect yourself in Crypto Safety Standards Every Trader Should Know.
Disclaimer: The content on this page is provided for general informational purposes only and does not represent the views or financial advice of Toobit. We make no guarantees regarding the accuracy or completeness of this information and shall not be held liable for any errors, omissions, or outcomes resulting from its use. Investing in digital assets involves risk; users should independently evaluate their financial situation and the risks involved. For further details, please consult our Terms of Service and Risk Disclosure.
