Aave Risk Manager Models Two Scenarios for $293M Kelp DAO Exploit Impact

Decentralized lending platform Aave's risk management provider has outlined two scenarios on how bad debt from the Kelp DAO exploit over the weekend could impact the ecosystem, depending on how the losses are allocated.

The incident began on Saturday when hackers stole 116,500 Kelp DAO Restaked ETH (rsETH) tokens worth $293 million from Kelp DAO's LayerZero-powered bridge and used them as collateral on Aave V3 to borrow wrapped Ether (wETH).

On Monday, LlamaRisk modeled two possible scenarios for how this "bad debt" could materialize on Aave, noting that the final decision rests with Kelp DAO. The incident highlights the contagion risk in DeFi, where a single bridge exploit can trigger liquidity crunches and mass withdrawals across interconnected protocols like Aave, which has seen nearly $10 billion in value leave the protocol since the Kelp DAO exploit took place.

The first scenario would see losses spread across all rsETH token holders on Ethereum mainnet and Ethereum layer 2s, resulting in roughly $123.7 million of bad debt on Aave while risking a 15% depeg in rsETH relative to Ether (ETH). LlamaRisk said this first scenario would spread losses more thinly across all chains, while noting that wrapped Ether (wETH) would be "absorbing the bulk in absolute terms but barely noticing it relative to its reserve depth."

Aave could also use its Umbrella security model to cover losses in wETH under the first scenario, noting that 18,922 Aave Wrapped ETH (aWETH) tokens worth nearly $43.7 million have entered the unstaking cooldown phase.

The second scenario would shift the entire shortfall to Ethereum layer 2 networks, such as Arbitrum and Mantle. However, the bad debt would be significantly higher at $230.1 million. LlamaRisk also noted that Aave has around $181 million in its treasury that could be used to address a potential bad debt shortfall.

On Monday, Kelp DAO said it is still assessing the financial impact of the exploit and how to safely unpause the protocol, adding that it is working with Aave, LayerZero and other stakeholders on a path forward.

Kelp DAO also shared more details about the incident, saying that two nodes tied to the LayerZero bridge were compromised, while a third was hit with a distributed denial-of-service attack. The attacker forged a seemingly valid transfer message that the system approved, allowing 116,500 rsETH to be minted on one of LayerZero's bridges.

Kelp said it paused all relevant contracts on Ethereum and Ethereum layer 2s and blacklisted all wallets tied to the exploiter shortly after, preventing them from stealing another 40,000 rsETH worth $95 million.