coinpedia.org
A major exploit at KelpDAO has rattled the DeFi market, with losses estimated at nearly $293 million, making it one of the year’s biggest incidents. The issue was first flagged after “suspicious cross-chain activity involving rsETH,” prompting the team to pause contracts across the Ethereum mainnet and multiple Layer 2 networks.
The protocol, which allows users to restake assets like stETH or cbETH in exchange for rsETH, quickly became the center of a broader ecosystem concern as multiple platforms were exposed.
Analyst Breaks Down What Went Wrong
OneKey founder Yishi explained what went wrong. “KelpDAO dismantled the lock on its own door, LayerZero is selling the kind of door where you can pick the lock yourself, and Aave assumed the neighbor’s door was definitely locked tight.”
His roadmap for recovery starts with negotiation.
“The best outcome is to negotiate with the hacker, offer a 10–15% bounty, get the bulk of it back,” he said.
If that fails, he believes LayerZero should step in financially, noting it has “the deepest pockets and the most long-term skin in the game.”
He also labeled KelpDAO as the weakest link, suggesting compensation through tokens, future revenue, or even selling the project entirely.
Systemic Risk and What Comes Next
The biggest risk now lies with WETH. Yishi warned, “WETH depositors absolutely cannot take a haircut,” as any loss could trigger cascading effects across protocols like Morpho, Spark, Fluid, and Euler, potentially damaging the entire LRT sector.
Despite the scale of the incident, he remains confident in Aave’s resilience, pointing to safeguards like Umbrella and stkAAVE. “I believe Aave can weather this,” he said, even as markets continue pricing in the fallout.
Immediate Response Across Protocols
Following the incident, Aave confirmed that rsETH remains fully backed on Ethereum but moved swiftly to freeze its usage across V3 and V4 markets. WETH reserves were also frozen across networks including Arbitrum, Base, Mantle, and Linea as a precaution.
“KelpDAO is the broke one here—either make it up with tokens + future revenue, or just package the whole project and sell it off to L0 or BMNR.”
KelpDAO stated it is actively working with LayerZero, auditors, and security experts to investigate the root cause, while urging users to rely only on official updates.