TL;DR
- The Kelp DAO exploit enabled rsETH to be released to an attacker-controlled address after a malicious cross-chain message was accepted.
- The incident forced Aave to freeze affected markets, while Arbitrum froze about $71 million in ETH tied to the attacker.
- The fallout spread beyond one protocol, with reports of lower DeFi TVL, tighter risk controls, and uncertain recovery prospects.
The Kelp DAO exploit has expanded beyond a single protocol incident into a broader DeFi risk event. It highlights vulnerabilities in cross-chain infrastructure and how they can affect multiple platforms.
The attack took place on April 18 and resulted in the loss of roughly $292 million worth of rsETH hack-related assets, with rsETH, a restaked Ethereum asset, at the center of the incident. While the scale is notable, the structure of the exploit is what has drawn closer scrutiny across the industry.
What happened and how it worked
The incident originated in Kelp DAO’s cross-chain bridge system, which allows assets to move between networks using external messaging and verification. The attacker exploited weaknesses in how these cross-chain messages were verified.
As a result, the bridge released rsETH to an attacker-controlled address after accepting a malicious cross-chain message. This meant assets were transferred without proper backing, creating risk for protocols that relied on rsETH as valid collateral.
Funds linked to the exploit were distributed across roughly 20 chains, reflecting the multi-chain design of the system. But at the same time, this complicates efforts to track and contain the assets.
Responsibility for the failure remains disputed. Kelp DAO has pointed to issues with default settings in LayerZero, while other reports say the configuration used in the bridge setup may have contributed to the vulnerability.
Containment and immediate response
The first major response came from lending markets. Aave froze rsETH and related markets shortly after the exploit was identified, aiming to prevent further borrowing or liquidations tied to potentially compromised collateral.
Aave said its smart contracts were not compromised and continued operating as designed. The measures were precautionary, focused on limiting exposure to an asset whose backing had become uncertain.
Other protocols also took defensive steps, including restricting activity or reassessing risk tied to similar assets. The incident prompted a broader review of exposure to cross-chain and restaking mechanisms.
A more direct containment action followed when Arbitrum’s Security Council froze 30,766 ETH linked to the attacker. Valued at roughly $71 million, the move represents a partial effort to secure funds associated with the exploit.
This Arbitrum freeze marked one of the clearest recovery steps after the breach, even if it covered only part of the stolen value.
The fallout across DeFi
The Kelp DAO exploit has had visible effects beyond the initial breach. Reports said DeFi TVL declined following the incident, alongside increased withdrawals from some platforms.
These reactions reflect how interconnected DeFi systems have become. Assets like rsETH are used across lending, liquidity, and yield strategies, meaning issues in one protocol can quickly affect others.
Lending markets were particularly sensitive to the event. Once uncertainty emerged around rsETH backing, protocols moved to reduce risk exposure, which in turn affected user activity and liquidity conditions, especially in Aave markets tied to the asset.
At the same time, recovery prospects remain uncertain. While a portion of the funds has been frozen, other assets have already been moved. This suggests that only part of the stolen value may ultimately be recoverable.
>>> Read more: Drift Hack Lawsuit Targets Circle Over USDC Transfers
What comes next
The Kelp DAO exploit is now moving into a recovery and assessment phase. This includes tracking stolen assets, evaluating protocol exposure, and determining how the failure in cross-chain validation occurred.
The incident underscores an ongoing challenge in DeFi: balancing interoperability with security. As more protocols rely on cross-chain systems, failures at this layer can have broader consequences that extend well beyond a single platform.
Further updates are likely to focus on recovery efforts and potential changes to cross-chain verification practices as the ecosystem responds to one of its largest exploits this year.
Readers’ frequently asked questions
What exactly was exploited in the Kelp DAO incident?
The incident involved a failure in cross-chain message verification. A malicious message was accepted by the bridge, which resulted in rsETH being released to an attacker-controlled address without proper backing.
Was Aave itself hacked during the exploit?
No. Aave said its smart contracts were not compromised. The protocol froze rsETH-related markets as a precaution to limit exposure to an asset whose backing had become uncertain after the exploit.
Have any of the stolen funds been recovered?
Part of the funds has been frozen. Arbitrum’s Security Council froze 30,766 ETH linked to the attacker, but other portions of the stolen assets have already been moved, making full recovery uncertain.
What Is In It For You? Action items you might want to consider
Review your exposure to cross-chain assets
If you hold or use assets like rsETH, check where they are deployed across protocols. Cross-chain dependencies can introduce risks that are not always visible at the wallet level.
Monitor protocol risk responses during incidents
Watch how platforms like Aave react to similar events. Market freezes, collateral restrictions, and governance actions can directly affect your ability to withdraw or manage positions.
Be cautious with complex yield strategies
Strategies involving restaking, bridging, or layered DeFi integrations can amplify risk. Consider simplifying positions during periods of uncertainty or heightened market stress.
