Overview
- The exploit, flagged Saturday, forged a LayerZero cross-chain message that released 116,500 rsETH worth about $292 million before KelpDAO paused contracts 46 minutes later.
- The attacker deposited the unbacked tokens on Aave as collateral and borrowed large amounts of ETH, which prompted Aave, SparkLend and Fluid to freeze rsETH markets.
- Aave now projects $123 million to $230 million of potential bad debt depending on how KelpDAO allocates losses across mainnet and Layer 2 rsETH.
- Liquidity drained fast with DeFi TVL falling roughly $10 billion to $13.21 billion in two days and some Aave stablecoin pools hitting 100% utilization that left billions in USDT and USDC temporarily unavailable to withdraw.
- Security teams say a single-verifier bridge path let the forged message through, and attribution is disputed after LayerZero floated a DPRK link that KelpDAO contests while investigators track swaps into ETH and Tornado Cash-linked flows.