Over the weekend, a critical vulnerability in the bridges of KelpDAO and LayerZero put decentralized finance giant Aave at major financial risk. Due to a loophole in cross-chain transfer mechanisms, Aave’s potential losses were estimated to reach as high as $230 million.
How was the bridge vulnerability exploited?
According to a detailed report published by Aave Labs and LlamaRisk in Aave’s governance forum, the incident centers on rsETH, a liquid restaking token issued by KelpDAO. When transferring rsETH across different blockchains, a bridge system is used, with the principle that a token is locked on one chain and an equivalent is minted on another.
During this process, however, an attacker managed to craft a fraudulent transaction request. As a result, even though the tokens weren’t actually withdrawn from the sending network, fresh rsETH could be minted as if they were. This method allowed the release of 116,500 rsETH that should have remained locked on Ethereum’s bridge.
Attacker deposits rsETH into Aave and withdraws large loans
Instead of selling the minted rsETH immediately, the attacker deposited 89,567 of these tokens on the Aave platform as collateral. They then borrowed a total of $190 million worth of ETH and other assets across the Ethereum and Arbitrum networks. This maneuver left Aave with a collateral reserve whose real market backing was highly questionable.
“Within hours of the attack, we froze rsETH markets, suspended lending activity, and set collateral ratios for the asset to zero,” Aave Labs explained, describing their swift incident response.
Shortly after detecting the breach, Aave Labs suspended all rsETH activity as a precaution. Additional emergency risk controls were implemented, blocking new borrowing against rsETH and minimizing further exposure.
How will the scale of the losses be determined?
The ultimate severity of losses depends on how KelpDAO addresses the loophole. If the damage is distributed equally across all rsETH holders, experts forecast a roughly 15% drop in the token’s value and $124 million in bad debt specifically on Aave. But if costs are limited to Layer 2 solutions, nearly $230 million in bad loans could surface across Arbitrum and Mantle networks.
Analysts agree that the exploit stemmed from inadequate verification of transfer messages within KelpDAO’s implementation of LayerZero protocol. The absence of robust security checks in cross-chain messaging enabled the attacker to inject unbacked assets into the system. While LayerZero’s core infrastructure was not directly compromised, the incident highlighted weaknesses in message-level trust assumptions.
In the immediate aftermath, major withdrawals took place as Aave users rushed to protect their assets. The platform’s total value locked (TVL) dropped by about $6 billion, reflecting mounting fears around systemic risk and trust erosion.
Aave DAO reportedly holds $181 million in assets in its treasury, according to the incident report. Internal discussions are ongoing about how any potential losses might be offset, but as of yet, KelpDAO has not offered a concrete plan on how it intends to share the shortfall among users.
The incident serves as a stark reminder that even top-tier DeFi platforms like Aave can be exposed to external vulnerabilities in bridge and swap infrastructure. With growing integration between blockchain ecosystems, experts stress that continuous diligence is essential to manage emerging risks.
