- Trending
- Comments
- Latest
A misconfigured single-verifier bridge on Kelp DAO allowed an attacker to mint unbacked rsETH, deposit it as collateral on Aave, and borrow approximately $195 million in liquid assets before markets could respond, leaving Aave with a growing pool of bad debt and no clear recovery plan.
What initially appeared to be an isolated bridge failure has quickly evolved into a broader crisis. The Aave exploit is no longer just about how funds were stolen it’s about who ultimately absorbs the losses and what it means for DeFi’s risk model going forward.
Interoperability protocol LayerZero said the breach stemmed from a flawed configuration tied to Kelp DAO’s decentralized verifier network (DVN). According to the firm, the attacker exploited a single verification pathway to drain approximately 116,500 rsETH worth roughly $292 million at the time from Kelp’s bridge.
LayerZero pointed out that Kelp DAO relied on a 1/1 DVN setup, meaning only one verifier was responsible for confirming cross-chain messages. This created a critical single point of failure something LayerZero claims it had previously warned against.
“Best practices around DVN diversification were communicated,” the company said, emphasizing that Kelp DAO chose not to implement a multi-verifier model.
That decision is now central to the Aave exploit fallout, as the stolen assets were quickly moved into lending markets.
The attacker didn’t stop at draining the bridge. Instead, the stolen rsETH was deposited into Aave as collateral, where it was used to borrow real, liquid assets.
This is where the situation escalated into a full-blown Aave exploit scenario.
As the borrowed funds were withdrawn, Aave was left holding undercollateralized positions. The result: roughly $195 million in bad debt, a sharp drop in total value locked, and a wave of withdrawals from users reacting to rising risk.
Aave’s TVL fell by nearly $8.9 billion, landing around $17.5 billion as the market digested the impact of the Aave exploit.
Importantly, Aave confirmed that its core smart contracts were not breached. Instead, the protocol became a secondary victim—absorbing the consequences of compromised collateral originating elsewhere.
The Aave exploit has triggered deeper concerns about liquidity across the protocol.
With Ether serving as a primary collateral asset, reduced liquidity has created a fragile environment where liquidations may not function as intended during extreme market conditions. According to a strategist at Spark, a competing lending platform, the situation presents a serious risk.
“With current illiquidity conditions, a 15–20% drop in ETH price could lead to significant bad debt accumulation,” the analyst warned.
That warning underscores how the Aave exploit extends beyond a single incident. It exposes how interconnected DeFi systems can amplify risk when one component fails.
In response, Aave moved quickly to contain further damage. The protocol froze all rsETH markets across its V3 and V4 deployments, effectively isolating the compromised asset.
While this action prevented additional exposure, it also highlighted a difficult reality: even well-audited systems can become vulnerable when external dependencies fail.
The Aave exploit is a reminder that composability one of DeFi’s greatest strengths can also be its biggest weakness.
Who should cover the losses from the Aave exploit? Kelp DAO, which configured the vulnerable system? LayerZero, whose infrastructure was used? Or Aave, where the financial damage materialized?
So far, no clear recovery plan has emerged.
Yishi Wang, founder of OneKey, suggested negotiating with the attacker as a first step.
“The best path is to offer a 10% to 15% bounty and recover most of the funds,” he said, adding that if talks fail, LayerZero’s ecosystem fund may need to step in due to its financial capacity.
Others have floated less conventional solutions. The pseudonymous founder of DeFiLlama proposed options ranging from distributing losses across users to attempting a rollback to pre-hack balances—though he acknowledged the technical difficulty of such a move.
The debate reflects a broader issue: DeFi still lacks a standardized framework for handling large-scale failures like the Aave exploit.
LayerZero noted that early indicators suggest the involvement of threat actors linked to North Korea—a pattern consistent with previous high-profile crypto exploits.
While attribution remains preliminary, the possibility adds another layer of urgency to the Aave exploit response, particularly for regulators already scrutinizing cross-chain vulnerabilities.
Beyond immediate losses, the Aave exploit is forcing the industry to confront uncomfortable questions about risk management in decentralized systems.
At its core, the incident wasn’t caused by a failure of blockchain technology—but by configuration choices and coordination gaps between protocols.
LayerZero has since urged all applications using single-verifier setups to migrate to more secure, multi-DVN configurations. It also warned that it may stop supporting projects that fail to adopt safer designs.
That shift signals a tightening of standards one likely to ripple across the ecosystem in the aftermath of the Aave exploit.
Recovery efforts are still unclear, user confidence has been shaken, and the full financial impact of the Aave exploit may take time to materialize. What is clear, however, is that this event will shape how DeFi protocols approach security, interoperability, and shared risk.
Copyright © 2025 - The Bit Gazette.
