What Happened in the rsETH Exploit?
Aave is facing potential losses of up to $230 million following a cross-chain exploit involving rsETH, a liquid restaking token issued by KelpDAO. The incident, detailed in a report from Aave Labs and LlamaRisk, stemmed from a flaw in how cross-chain transfers were verified using LayerZero infrastructure.
The attacker forged a transfer message that appeared valid, allowing the system to approve the issuance of tokens on the destination chain without locking the corresponding assets on the source chain. As a result, 116,500 rsETH were effectively created without backing on the Ethereum-side bridge.
Rather than selling the tokens, the attacker deposited 89,567 rsETH into Aave as collateral and borrowed roughly $190 million in ETH and related assets across Ethereum and Arbitrum. This left the protocol exposed to collateral that may not be fully backed, introducing the risk of bad debt.
How Large Is Aave’s Potential Loss?
The final impact depends on how KelpDAO chooses to allocate the shortfall. If losses are distributed across all rsETH holders, the token could face a depegging of around 15%, resulting in approximately $123–$124 million in bad debt for Aave.
If the losses are instead isolated to Layer 2 networks, the impact could rise to as much as $230 million. In that scenario, the damage would be concentrated on networks such as Arbitrum and Mantle, where a significant portion of the affected collateral is located.
The uncertainty around loss allocation remains the key variable, with no final decision yet from KelpDAO on how the shortfall will be handled.
Investor Takeaway
How Did Aave Respond to Contain the Risk?
Aave moved quickly to limit further exposure. Within hours of identifying the issue, the protocol froze rsETH markets across its deployments, reduced loan-to-value ratios to zero, and halted new borrowing against the asset.
These actions prevented additional leverage from building on top of the compromised collateral. However, existing positions backed by rsETH remain a source of risk, particularly if the asset’s backing is impaired or repriced.
The incident also raised concerns about mispriced collateral within the system, as some positions may have been supported by assets that were not fully backed at the time of borrowing.
Investor Takeaway
What Does This Reveal About DeFi Infrastructure Risk?
The exploit highlights indirect exposure across interconnected DeFi systems. While LayerZero itself was not compromised, weaknesses in how Kelp validated cross-chain messages allowed unbacked assets to enter the system and be used as collateral.
The fallout extended beyond the initial exploit. Around $6 billion in total value locked was withdrawn from Aave as users reduced exposure, reflecting a broader loss of confidence in interconnected protocols.
Aave’s DAO treasury currently holds approximately $181 million in assets, and discussions are ongoing with ecosystem participants to address potential losses. The outcome will depend on how KelpDAO distributes the shortfall and whether additional support mechanisms are introduced.
