Aave faces up to $230M loss risk after rsETH bridge exploit
Aave is exposed to potential bad-debt losses of up to $230M after an rsETH bridge exploit involving KelpDAO and LayerZero messaging. A report by Aave Labs and LlamaRisk says the attacker forged LayerZero-verified cross-chain transfer messages, minting rsETH on the destination chain without removing the real collateral on the source chain.
The attacker then deposited 89,567 rsETH as collateral on Aave and borrowed about $190M in assets across Ethereum and Arbitrum. Within hours, Aave froze rsETH markets, set the rsETH collateral factor to zero, and halted new borrowing.
Loss impact depends on how KelpDAO socializes the shortfall: analysts estimate either ~15% rsETH depegging and ~$124M bad debt if losses spread across all rsETH holders, or up to ~$230M if concentrated on Layer 2 deployments such as Arbitrum and Mantle. Traders saw rapid stress signals, including a sharp TVL drop (reported around $6B) as liquidity withdrew.
For traders, the key takeaway is that Aave’s credit risk can be repriced quickly when external bridge or message-layer assumptions fail, even if Aave’s own smart contracts perform as designed.
Bearish
This event increases perceived credit risk for Aave because the attacker’s forged cross-chain messaging enabled unbacked collateral, forcing Aave to freeze rsETH and halt borrowing. The potential bad-debt range ($124M–$230M) and the reported TVL outflows (around $6B) signal near-term liquidity stress and can pressure sentiment toward DeFi lending exposures. Even if contracts worked as designed, the market will reprice bridge/message-layer contagion risk, which is typically negative for Aave token demand and related DeFi collateral liquidity in the short term.