Original title: Come I'expluit di Kelp DAO su rsETH ha meso Aave davanti al Suo "moment of truth"
It's the first time I've ever seen it
Photo by Peggy Block Beats

The editor pushed the entire DeFi into a sudden pressure test on April 18, an unusual transfer of about 11.65 million rsETHs. Stolen assets flowed into Aave v3, lending a large amount of WETH as collateral, quickly pressuring the already functioning and stable lending system: the utilization of the ETH pool was pushed to 100 per cent, potential bad debts were approaching $200 million, and the liquidity crisis was created by a massive withdrawal of funds within hours。

On the face of it, this is just another cross-chain attack; but the deeper problem is that it does not happen inside Aave's own code, but is channelled through an external collateral asset that appears to be safe. The failure of rsETH in the chain of bridge, re-admittance and governance has deprived it of its economic convertibility, a change that is lagging behind in the lending system and eventually evolves into a direct impact on the solvency of the agreement。

In this paper, the risk structure of DeFi is changing. The security of the agreement is no longer just a question of whether the contract is open, but a question of whether the collateral it receives, the entire technology behind it, and the governance chain are reliable. When the flow nature of the pledge, the re-admittance and the cross-chain infrastructure layer overlap, the failure of any link may be amplified by a chain of collateral into a systemic shock。

As a result, it is a typical "reverse of gains": it was once seen as close to risk-free reincarnation gains, translated into liquidity depletion and bad debt exposure in one day. For Aave, this is a real test of governance and wind control; for DeFi ecology as a whole, it may be a clearer reminder — in a highly integrated system, risks never disappear, but are redistributed and delayed。

The following is the original text:

Introduction: rsETH no longer "zero risk" days

On April 18, 2026, DeFi went through a time when "theory" was completely removed from "realism": the rsETH bridge of Kelp DAO was used, and about 116,500 rsETHs (approximately $292 million to $293 million) were attacked, making it the largest Defi hacker in the current year。

The stolen coins did not stay in place, but were quickly transferred to Aave v3, used as collateral and loaned WETH. This operation directly triggered a liquidity crisis and created bad debts of over $170 million to $200 million in agreements。

Unlike many previous attacks, this time it wasn't Aave's own code with a loophole. The problem came from the "external" — a source of collateral prices that was supposed to be reliable and lost credibility in a short period of time。

This paper will outline the specific evolution of the event, explain why it is more like a liquidity crisis than a security gap at the level of Aave, and further explore what it means to risk management in an increasingly interconnected DeFi ecology。

Kelp DAO and rsETH what

Kelp DAO is a liquid pledge (libid pledge) agreement that allows users to convert ETH and all types of mobile tokens (e.g. stETH, cbETH, etc.) into a liquid token called rsETH, which is scheduled to be re-assigned on EigenLayer。

The value of rsETH is therefore derived from a basket of underlying assets locked in the re-commitment system. Despite their own limited liquidity, rsETH, as a token, is free to circulate throughout the DeFi ecology, as collateral or as a participant in a variety of revenue strategies。

From the point of view of Aave's loan agreement, rsETH is almost ideal collateral in theory: It has good collateral support, additional revenue sources, and is embedded in an ecological "blue-scale" like EigenLayer. This is why rsETH is connected to the Aave v3 and v4 markets, allowing users to use it as collateral and lend more liquid assets (e.g. WETH)。

But this integration has also brought about a shift in the risk paradigm: Aave's solvency on the side of ETH no longer depends solely on the design and safety of its own agreement, but also begins to rely on external components — including the operational safety of the cross-chain bridge — and on the entire re-commitment facility that supports rsETH。

Attack path: From Kelp Cross Bridge to Aave v3

According to preliminary analysis on the chain and several encrypted media reports, the starting point of the incident was Kelp DAO based on the rsETH bridge of LayerZero。

Using a loophole in its cross-link information mechanism (lzReceive in EndpointV2), the attackers extracted about 116,500 rsETHs from the adapter/bridge, corresponding to an estimated $292 million to $293 million at the time of the attack。

After obtaining these coins, the attack strategy is economically highly "reasonable":

• Deposit rsETH into Aave v3 as collateral

• Loan WETH to the extent possible on the basis of this position (using rsETH was fully recognized as a valid encumbered asset under the agreement at the time)

• WETH TO BE BORROWED FOR TRANSFER OR REALIZATION TO EXTRACT REAL LIQUIDITY VALUE

:: Keeping the risk in the Aave system, waiting for collateral values to collapse

When Kelp DAO discovered anomalies, it quickly announced the suspension of the main network and several rsETH contracts on L2 in order to investigate the attack and essentially freeze the normal flow of rsETH and the redeeming path。

At the same time, Aave had to freeze the rsETH and wrsETH markets on v3 and v4, stressing that its smart contract itself had not been broken and that the problem was limited to the single asset。

But the central problem is that the rsETH, which is the collateral at this time, is "defunct" at the economic level。

CROSS-CHAIN BRIDGES ARE EMPTY, FORECLOSURE ROUTES ARE UNCERTAIN AND PRICE DISCOVERY MECHANISMS ARE IN DISARRAY — WHILE WETH, PREVIOUSLY BORROWED ON ITS COLLATERAL, IS STILL REAL。

Aave's liquidity crisis: utilization rate peaks and "nine digits" bad

Kelp DAO ' s freeze on rsETH prevented an orderly liquidation of the position previously held as collateral. Specifically, WETH borrowings against these mortgages are no longer capable of recovering sufficient value through the disposal of rsETH, and the agreement was supposed to be the mechanism of the “last liquidator” and became ineffective on these positions。

Preliminary estimates indicate that:

:: About 116,500 rsETH stolen and deposited in Aave v3

• WETH BORROWINGS DIRECTLY RELATED TO THESE POSITIONS RANGED FROM ABOUT $177 MILLION TO $236 MILLION

:: Potential bad debts up to a maximum of approximately $200 million if other agreements are considered to be open

The ETH pool of Aave was once utilized at 100 per cent, with little liquidity available to users (unless withdrawn first)

The panic quickly spread: in just a few hours, Aave had more than $5.4 billion in funds flowing out, over $150 million of which came from Justin Sun, one of the major players in the agreement。

Aave's total lockout (TVL) dropped from about $45.8 billion to $35.7 billion in a very short period of time, while its token AAVE fell by about 17 to 20 per cent in a single day。

A RATHER IRONIC RESULT IS THAT, FOR USERS WHO LEND STABLE CURRENCY OR OTHER ASSETS, THE RATE OF RETURN HAS SOARED - AS A RESULT OF THE SHORTAGE OF AVAILABLE FUNDS, THE ANNUALIZED EARNINGS OF STABLE CURRENCY DEPOSITS (APY) WERE PUSHED UP TO ABOUT 13 TO 14 PER CENT, A TYPICAL SIGNAL OF MARKET ENTRY INTO THE “CRISIS MODEL”。

This incident revealed risk management on the chain

the rsETH-Khelp DAO-Aave incident is not just an ordinary attack, it is more like a typical case of how risk is transmitted from one agreement to another in a highly commingled DeFi financial system。

Several key conclusions are as follows:

Lending agreements are not isolated
Even if Aave's smart contract itself is not broken, accepting rsETH as collateral means being exposed directly to external risks — including the safe operation of the bridge — and the system behind it。

When foreclosibility crashes, the prophecies are not priced enough
Even if the chain price remains formally "effective " , it ceases to be economically eligible collateral once the asset loses its redeemable or mobile capacity (e.g. due to suspension, attack or freezing). Risk management needs to incorporate infrastructure integrity and governance factors, not just price dimensions。

The emergency suspension mechanism is a double-edged. Sword
The Kelp DAO freeze of the rsETH contract, which is reasonable from the point of view of controlling the attack, has exacerbated the problem for Aave: the inability to move the collateral makes liquidation more difficult。

Dispersed mortgages may evolve into systematic risk concentration
Every new LRT, LST or complex derivative asset introduces new sources of risk. Once these assets are accepted as collateral in multiple agreements (e.g., Aave, Compund, Euler, etc.), a cross-chain attack may trigger a chain reaction throughout the ecology。

for chain-based risk managers, the event is essentially a “template”: the so-called “collar white list” is no longer merely an assessment of price volatility, but a measure of the complexity and vulnerability of the entire technological supply chain that underpins the asset。

Outlook: how Aave (and DeFi) may change after the rsETH events

Within hours of the attack, the Aave team and Guardian reiterated that the pool was still functioning and that the incident related only to rsETH-related assets and was working with Kelp, LayerZero and other interested parties to minimize the impact。

But the real work is just beginning: how to deal with bad debts, whether to activate the Safetty Module/Umbrella mechanism, and how to update the assets-on-line strategy will be critical stress tests at the governance level。

Several directions in which the incident could accelerate include:

MORE CONSERVATIVE UP-LINE PARAMETERS FOR LRT / CROSS-CHAIN ASSETS: LOWER LTV, STRICTER LIMIT, AND MULTI-LEVEL AUDIT REQUIREMENTS, WITH DEDICATED STRESS TESTING FOR CROSS-CHAIN ATTACK SCENARIOS。

• build a quantitative framework to measure the "bridge risk" and "restaking stock risk " , similar to the current modelling of price volatility and asset relevance。

MORE ATTENTION IS GIVEN TO THE ISSUE OF COLLATERAL CONCENTRATION: IT IS LIMITED NOT ONLY BY A SINGLE ASSET BUT ALSO BY A "RISK CLASS" (E.G. DERIVATIVE ASSETS OF THE SAME LRT PROVIDER OR THE SAME MESSAGE INFRASTRUCTURE)。

• CONTRIBUTING TO THE EVOLUTION OF THE ROLE OF THE SECURITY MODULE: IT INCLUDES AAVE PLEDGE, THE INSURANCE VAULT AND THE HEDGE FUND POOL, MOVING FROM A “LAST LINE” TO A ROUTINE SYSTEMATIC RISK MANAGEMENT COMPONENT。

For users, the event also sends a clear signal that the use of complex combination tokens as collateral can indeed increase returns, but it also means exposure to a range of risks that are often overlooked - These include gaps in cross-chain bridges, re-admittance governance, and an emergency moratorium on upstream agreements。

A reminder about the nature of DeFi proceeds

the attack by rsETH did not break Aave's code, but revealed a key question: The sensitivity of the lending agreement to external shocks increases significantly when the collateral is built on complex fluid pledge, re-admittance and cross-chain bridge structures。

The seemingly “risk-free” gains of the past few months have, in just one day, evolved into a liquidity crisis triggered by financial outflows of more than $10 billion and potential bad debts of up to $200 million。

If one of the core lessons is to be learned, it's that in DeFi, gains are always the price of risk. The risk is, however, often underestimated before the first systemic event。

[ Chuckles ]Original Link]