KelpDAO Hack Leads to $292 Million Theft, Triggering Chain Reaction: Aave Depleted of Over $5.4 Billion, Lending Market Risk Needs to be Reassessed
BlockBeats News, April 19: Multi-chain liquidity staking platform KelpDAO was attacked early this morning. The attacker withdrew 116,500 rsETH from KelpDAO's LayerZero-based cross-chain bridge, equivalent to $2.92 billion, making it the largest DeFi security incident to date in 2026. Approximately 46 minutes later, KelpDAO responded by urgently pausing the multi-signature, freezing core components including the LRT liquidity pools, withdrawal contracts, oracle, and rsETH tokens. Kelp stated that they had identified unusual cross-chain activities involving rsETH and had temporarily paused relevant contracts on the mainnet and multiple L2s, while conducting root cause analysis in collaboration with LayerZero and others.
The attacker's two subsequent attacks were unsuccessful, and the pause measures effectively prevented further fund loss. The attacker attempted to withdraw an additional 40,000 rsETH (approximately $1 billion). If successful, the total loss could have expanded to around $3.91 billion. The attacker promptly borrowed from protocols such as Aave, Compound, Euler, and Fluid, leading to defaults in multiple protocols. Aave experienced bad debts of around $177 million to $196 million, Compound faced bad debts of approximately $39.4 million, and Euler incurred bad debts of about $840,000. Aave was the most affected, having frozen the rsETH markets in V3 and V4, stating that the event was related to the rsETH asset and not an issue with the protocol's smart contracts. Aave is assessing the lending situation post-event and mentioned that if the protocol incurs bad debts, they will "explore avenues to cover the shortfall."
The majority of the rsETH stolen by the KelpDAO attacker was deposited into Aave as collateral to borrow ETH, while a small portion was directly sold for ETH. Through collateralization and selling, the hacker obtained 106,466 ETH (around $2.5 billion). For risk mitigation, assets totaling over $5.4 billion were swiftly withdrawn from Aave after the hacker borrowed significant amounts of ETH using illegally minted rsETH. This include Justin Sun reclaiming 65,584 ETH ($154 million). The capital utilization rate of ETH on Aave briefly reached 100%.
Curve founder Michael Egorov commented, "This incident highlights the risk posed by the widely adopted 'non-isolated borrowing' model. While this model offers good scalability, it comes with higher risks, underscoring the critical importance of risk management. Aave v4's hub and spoke model may be a step towards a semi-isolated, more secure direction."
Crypto KOL benmo.eth posted that the KelpDAO's rsETH hack had far-reaching implications, Aave's security "fortress" was breached, and the risk in the uniform lending market is now back under whale scrutiny. Aave V4 and modular lending may become a future trend, accelerating the related transformation process. DeFi is halting its expansionist trajectory, shifting towards a more conservative security posture, while also needing to address further AI-driven security threats such as Anthropic Mythos.
Bankless co-founder Ryan Sean Adams posted, "The frequency of crypto being hacked has reached an all-time high. I believe this is related to AI. AI is empowering hackers with 'dark superpowers.' Defense must catch up quickly; we are running out of time."
