The $293 million hack of KelpDAO’s rsETH has triggered a complex DeFi crisis, with Aave and its users facing significant potential losses. An analysis by DeFiLlama co-founder 0xngmi outlines three difficult recovery scenarios, while security investigators attribute the breach to a single-point failure in KelpDAO’s bridge security configuration.
The $293 million KelpDAO hack has created a major crisis for Aave and rsETH holders. DeFiLlama co-founder 0xngmi laid out three potential resolution paths, none of which are straightforward.
The first option socializes losses across all KelpDAO users, resulting in an 18.5% haircut. This would leave Aave with approximately $76 million in uncovered bad debt after using its safety funds.
A second “uglier” path would involve abandoning rsETH holders on specific layer 2 chains. Security researchers traced the attack’s mechanics in detail. Cyvers founder Meir Dolev reconstructed the on-chain timeline, showing the attacker drained 116,500 rsETH in one transaction.
The root cause was a critical security flaw in KelpDAO’s bridge. Dolev stated the bridge required only one DVN attestation to release funds. LayerZero also attributed the attack to this configuration, noting it had previously recommended multi-DVN setups.
Security researcher Andy was blunt in his assessment. He called the decision to run a single DVN with $1.5 billion in user funds “extremely irresponsible.” Meanwhile, negotiations for a hacker bounty and protocol-level decisions continue to unfold.
