Last night, I found out Kelp DAO was hacked, so I pulled out all my rsETH, $50😂

Aave has nearly $300 million in bad debt, and now the USDT deposit rate on Aave has skyrocketed to over 13%.
After discovering the anomaly, I immediately swapped all the listed prices on Arbitrum into ETH. Because the hacker didn't dump on the chain DEX, rsETH was still unpegged at the time, so I sold almost at a 1:1 ratio.
Why didn't the hacker dump? More details later.
In short, when you see cross-chain bridge issues, run first.
【What is rsETH】
Kelp is one of the largest liquidity staking protocols on Ethereum. rsETH is similar to Lido's stETH, a re-staking version: deposit ETH to get rsETH tokens, then use the tokens everywhere—lending, LP, cross-chain.
Just on Aave, there are $940 million worth of rsETH used as collateral, with integrations across Compound, Gearbox, Morpho, Fluid, Euler, Pendle.
116,500 rsETH, valued at $292 million at the time, was drained in one go. This became the biggest DeFi security incident of 2026, surpassing the $285 million Drift hack two weeks ago.
【How was it stolen】
The problem again lies with the cross-chain bridge. Kelp uses LayerZero's OFT cross-chain solution, which is based on a Lock & Mint model: transferring rsETH from L2 back to the mainnet, where the mainnet vault locks the real rsETH, and the L2 mints a wrapped version.
rsETH across more than 20 chains relies solely on the mainnet vault's backing.
The attacker forged a LayerZero cross-chain message, called the EndpointV2 contract's lzReceive method, directly draining the vault. Once drained, all rsETH on all chains instantly turned to air.
About 10 hours earlier, the attacker used Tornado Cash to obtain initial funds. With one transaction, they took $292 million.
The Kelp team froze the contract in an emergency 46 minutes later. The attacker tried two more times, each time with 40k rsETH (about $100 million), but all attempts failed because the contract was already paused.
In 46 minutes, they saved $200 million.
【How they cashed out】
The hacker didn't dump on DEXs because slippage would be huge, and they couldn't get a good price. Instead, they deposited the stolen rsETH into Aave, Compound, Euler as collateral, and borrowed about $236 million in WETH while the oracle still reported normal prices.
Once rsETH de-pegged, these loans would never be liquidated. The bad debt would just be left to the protocol.
That's also why I was able to escape; the hacker preferred borrowing and cashing out rather than dumping, and rsETH hadn't de-pegged in the short term, giving a window of opportunity.
【What happened to Aave】
First, let me clarify: Aave itself was not hacked, and its contracts are fine. The issue is that Aave listed rsETH as collateral, which then became a problematic asset.
This isn't unique to Aave. All lending protocols share the same underlying logic: collateral value > loan value is safe.
If the collateral value drops too fast, liquidation can't keep up, and no one wants to take over, it results in bad debt.
Once an asset becomes ultimately non-repayable, any lending protocol faces the same problem.
Currently, rsETH on Aave is frozen, with a reserve size of $1.31 billion, zero available liquidity, and Max LTV set to zero.
52,580 rsETH are locked inside, unable to be withdrawn.
Aave is the top lending protocol on DeFiLlama, with a TVL of about $20 billion.
This V3 bad debt is estimated at around $177 million.
AAVE tokens have dropped 10% in 24 hours.
USDT deposits' APY has surged to 13.35%, because a large amount of WETH is locked as bad debt, liquidity is tight, and lending rates are soaring across the board.
Last year, Aave launched the Umbrella Security Fund, which automatically reduces staker shares to cover bad debt when it occurs.
This was the first real stress test since launch. Can it cover $177 million? Hard to say.
If not, the DAO treasury or socialization will have to step in.
【Scope of impact】
Not just Aave. SparkLend and Fluid have frozen rsETH markets, Lido has paused earnETH deposits, Upshift has suspended related vaults, and even Ethena, which has nothing to do with rsETH, preemptively paused the LayerZero bridge for 6 hours.
A single bridge vulnerability has shaken half of the DeFi lending market.
Kelp has had its second incident in a year.
Last April, a fee contract bug caused rsETH over-minting, and Aave also froze once before, but no funds were lost then.
This time, luck wasn't on their side.
All in all, this kind of event is an inherent risk of DeFi's structural design.
Lock & Mint is the most frequently attacked cross-chain bridge model in history: Ronin $590 million, Wormhole $326 million, BNB Bridge $570 million, Nomad $190 million, and now Kelp with $292 million.
Reserves are concentrated in a single vault, and one failed validation can cause a full collapse.