Kelp’s $292M Exploit Hits rsETH Collateral in DeFi Lending

Kelp’s $292M exploit has reignited scrutiny of liquid restaking and DeFi lending collateral after the attacker allegedly used a LayerZero bridge to send a crafted message and mint unbacked rsETH. Reports say 116,500 rsETH (about 18% of circulating supply) were released to a pre-funded wallet, with no equivalent ETH movement on the other side. The attacker then deposited the unbacked rsETH on Aave as collateral to borrow real WETH and exit. While Aave wasn’t described as “hacked,” the protocol reportedly accumulated around $196M in bad debt due to rsETH being whitelisted as correlated ETH collateral. Market fallout followed quickly: Aave TVL fell ~25% in a day (to around ~$20B), broader DeFi TVL dropped about $13B, and AAVE reportedly fell ~30%. In the days after Kelp’s $292M exploit, multiple protocols moved to contain risk. Aave reportedly saw large withdrawals and froze rsETH markets for several hours. SparkLend and Fluid paused rsETH exposure, and Lido paused earnETH citing rsETH-related setup exposure. A later update emphasized how cascading exposure can be hard to trace. One account claimed over $6.2B exited Aave within 36 hours, arguing protocols struggle to map indirect “yield stacking” paths across bridges, restaking, and liquidation mechanics in real time. The same analysis also criticized the bridge design as relying on a 1-of-1 verifier, creating a potential single point of failure. For traders, the core takeaway from Kelp’s $292M exploit is that APY can hide cross-protocol, cross-bridge risk—raising the bar for collateral quality checks and liquidity/exit assumptions on LRT-linked positions.