Kelp | Crypto

Aave published a report outlining two possible outcomes: around $123 million in losses if damage is shared across all rsETH, or up to $230 million if confined to Layer 2s, with the final impact depending on how Kelp DAO allocates the shortfall.

LayerZero said that Kelp’s DVN setup allowed the $290 million exploit, as investors questioned which protocol would step up to cover the shortfall. Interoperability protocol LayerZero claims that an inadequate setup tied to Kelp’s decentralized verifier network (DVN) enabled malicious actors to steal $290 million from Kelp DAO, adding that preliminary signs point to North Korea-linked threat actors. An attacker drained about 116,500 Restaked ETH (rsETH), worth as much as $293 million at the time, from Kelp DAO’s LayerZero-powered rsETH bridge on Saturday. LayerZero said Monday that the exploit stemmed from a single point of failure in Kelp’s setup, which relied on a single LayerZero DVN as the only verified path, despite LayerZero previously advising them against this. Read more

The Aave token fell nearly 20% to $89.5 in just over 24 hours as users withdrew billions of dollars from the lending protocol. Total value locked on decentralized lending protocol Aave dropped by nearly $8 billion over the weekend after hackers behind the $293 million Kelp DAO exploit borrowed funds on Aave, leaving roughly $195 million in “bad debt” on the protocol and triggering withdrawals. Data from DeFiLlama shows that Aave’s TVL fell from about $26.4 billion to $18.6 billion by Sunday, losing the top spot as the largest DeFi protocol.  Aave v3’s lending pools for USDt (USDT) and USDC (USDC) are now at 100% utilization, meaning that more than $5.1 billion worth of stablecoins cannot be withdrawn until new liquidity arrives or borrows are repaid.  Read more

2026 is shaping up to be DeFi's "worst year in terms of hacks," Ledger's CTO said, as the Kelp exploit shows how a single point of failure can cascade across systems.

The contagion from the Kelp exploit could have been contained, but at the cost of capital efficiency, according to the founder of Curve Finance. The exploit of the Kelp liquid restaking protocol shows how non-isolated lending and integrations in decentralized finance (DeFi) can cause broader ecosystem contagion, according to crypto industry executives and blockchain security firms. Non-isolated lending on DeFi platforms, including earlier versions of the Aave lending protocol, exposes users to risks from all the various tokens used as collateral on the platforms, according to Michael Egorov, founder of the Curve Finance DeFi protocol. Kelp was the target of a cyber attack on Saturday, causing the platform to pause smart contracts for its restaking token (rsETH) while it moved to investigate the attack that left the platform drained of about $293 million. DeFi teams should also vet prospective digital assets to ensure that tokens do not feature single points of failure or attack surfaces before approving token...

The attack caused a "cross-protocol contagion" that has impacted at least nine crypto protocols, blockchain security firm Cyvers said. Kelp, a liquid restaking protocol, was the victim of a cyber attack on Saturday, causing the platform to pause smart contracts for its restaking token (rsETH), as it “investigates” the attack amid reports of hundreds of millions of dollars in losses. “Earlier today, we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several Layer-2s,” the Kelp platform said in an X post. The attacker exploited the rsETH adapter bridge contract, the software code that manages Kelp’s rsETH token, and drained the platform of about $293 million in funds, according to blockchain security firm Cyvers. Read more