News
20 Apr 2026, 01:40
Critical Kelp DAO Hack: $292M rsETH Exploit Forces Three Painful Recovery Options

BitcoinWorld Critical Kelp DAO Hack: $292M rsETH Exploit Forces Three Painful Recovery Options The decentralized finance sector faces another severe test following a devastating $292 million exploit targeting Kelp DAO’s rsETH token. This critical security breach, confirmed over the weekend, has left the protocol with three difficult recovery paths, each carrying significant implications for users and the broader DeFi ecosystem, particularly the lending giant Aave. Kelp DAO’s $292 Million Security Crisis Kelp DAO, a prominent liquid staking protocol operating across multiple Ethereum Layer 2 networks, suffered a catastrophic security breach resulting in the loss of 116,500 rsETH tokens. The exploit, which represents one of the largest DeFi incidents of 2025, originated from a vulnerability in an external bridge connecting Kelp DAO’s infrastructure. Consequently, the protocol’s treasury and user funds faced immediate jeopardy, triggering emergency responses across connected platforms. DeFiLlama founder 0xngmi provided crucial early analysis on social media platform X, outlining the three potential recovery measures available to Kelp DAO’s governance community. Each option presents distinct trade-offs between user impact, technical feasibility, and systemic risk. Meanwhile, the incident has exposed significant interdependencies within the DeFi landscape, particularly affecting Aave’s lending markets where rsETH serves as collateral. Three Difficult Recovery Pathways The Kelp DAO community must now evaluate three primary recovery options, each with profound implications for stakeholders. First, the protocol could distribute losses proportionally across all users, resulting in an approximate 18.5% reduction in asset value for every participant. This approach maintains fairness but imposes universal pain. Second, Kelp DAO might concentrate losses exclusively on rsETH holders by reducing the token’s value on Layer 2 networks to zero. This targeted approach would protect other protocol participants but would completely wipe out rsETH investors. Third, the community could attempt a complex rollback using a previous blockchain snapshot, compensating only for stolen funds. However, this measure faces substantial implementation challenges due to subsequent asset movements and transactions. Technical and Governance Complexities Each recovery option involves significant technical and governance hurdles. The proportional loss distribution requires careful calculation and transparent communication to maintain user trust. The concentrated loss approach demands precise execution to isolate rsETH without affecting other protocol functions. The snapshot rollback, while theoretically cleanest, risks creating chain reorganizations and disrupting other DeFi applications. Governance processes will play a crucial role in determining the chosen path. Kelp DAO’s decentralized autonomous organization structure means token holders must vote on the recovery plan, potentially creating delays during a time-sensitive crisis. The decision will set important precedents for how DeFi protocols handle major security incidents in the future. Aave’s Contagion Risk Exposure The Kelp DAO exploit has created immediate risks for Aave, one of DeFi’s largest lending protocols. Aave has currently frozen rsETH across its V3 and V4 protocol versions and has also suspended its WETH reserves as a precautionary measure. These actions aim to prevent further market instability while the situation develops. Aave founder Stani Kulechov clarified that the incident constituted a hack of an external bridge rather than Aave’s core protocol. Nevertheless, the team continues working to minimize additional damage. All three recovery scenarios under consideration could force Aave to sell AAVE tokens from its treasury or potentially incur bad debt, depending on how rsETH’s value stabilizes. Systemic Implications for DeFi The Kelp DAO incident highlights persistent vulnerabilities in cross-chain bridge infrastructure, which has become a frequent target for sophisticated attackers. Bridge security remains one of DeFi’s most challenging technical problems, with billions of dollars regularly moving between networks. This exploit follows a pattern of similar incidents affecting other protocols throughout 2024 and early 2025. Furthermore, the situation demonstrates how interconnected DeFi protocols create contagion risks. A single point of failure can cascade through multiple platforms, affecting users far removed from the initial incident. This interdependence complicates risk management and emergency response planning across the ecosystem. Historical Context and Industry Response Bridge exploits have plagued the cryptocurrency industry for several years, with notable incidents including the 2022 Wormhole hack ($325 million), the 2022 Nomad bridge exploit ($190 million), and the 2023 Multichain incident ($130 million). Each event has prompted security improvements but has not eliminated the fundamental risks of moving assets between blockchain networks. The industry response typically involves immediate protocol freezes, forensic analysis, governance discussions, and eventual recovery planning. Insurance mechanisms and decentralized treasury funds sometimes provide partial compensation, though coverage rarely matches total losses. The Kelp DAO situation follows this established pattern while testing new recovery approaches. Regulatory and Compliance Considerations Major DeFi exploits increasingly attract regulatory attention, particularly as traditional financial institutions explore blockchain integration. The Kelp DAO incident may prompt renewed calls for security standards, insurance requirements, and disclosure protocols within decentralized finance. However, the global nature of DeFi complicates regulatory coordination across jurisdictions. Compliance teams at institutional cryptocurrency firms are likely reviewing their exposure to rsETH and similar bridge-dependent assets. This scrutiny could accelerate the development of more robust risk assessment frameworks for DeFi investments, potentially affecting capital flows into the sector. Conclusion The Kelp DAO rsETH hack represents a critical moment for decentralized finance, testing both technical resilience and governance maturity. The protocol’s three recovery options each carry significant consequences for users, connected platforms like Aave, and the broader DeFi ecosystem. This incident underscores persistent bridge security vulnerabilities while highlighting the complex interdependencies that characterize modern decentralized finance. The chosen recovery path will establish important precedents for how future exploits might be addressed, making this a watershed moment for protocol accountability and user protection in the cryptocurrency space. FAQs Q1: What exactly happened in the Kelp DAO hack? The exploit involved a security vulnerability in an external bridge connecting Kelp DAO’s infrastructure, resulting in the theft of 116,500 rsETH tokens worth approximately $292 million at the time of the incident. Q2: How does this affect Aave users? Aave has frozen rsETH across its protocols as a precaution. Depending on the recovery option chosen, Aave might need to sell treasury assets or potentially incur bad debt, which could affect protocol stability and token value. Q3: What are the three recovery options for Kelp DAO? The options include: distributing losses proportionally across all users (18.5% reduction), concentrating losses on rsETH holders (zeroing L2 value), or attempting a complex snapshot rollback to recover stolen funds. Q4: How long will recovery take? Recovery timelines depend on governance processes and technical implementation. Similar incidents have taken weeks to months for full resolution, though emergency measures typically happen within days. Q5: Are other DeFi protocols at risk from this exploit? While the direct vulnerability was specific to Kelp DAO’s bridge, the incident highlights systemic risks in cross-chain infrastructure that affect many protocols using similar technology stacks. This post Critical Kelp DAO Hack: $292M rsETH Exploit Forces Three Painful Recovery Options first appeared on BitcoinWorld .
20 Apr 2026, 00:55
Aave Exploit Fallout: Staggering $10.1B Withdrawal After rsETH Attack Rocks DeFi

BitcoinWorld Aave Exploit Fallout: Staggering $10.1B Withdrawal After rsETH Attack Rocks DeFi In a seismic event for decentralized finance, the Aave protocol witnessed a catastrophic $10.1 billion outflow of user assets this week, a direct consequence of a sophisticated exploit targeting the rsETH token over the preceding weekend. This massive withdrawal, first reported by blockchain analytics firm EmberCN, has precipitated a dramatic recalibration of the protocol’s economics, sending stablecoin yields soaring and slashing its total value locked (TVL) by over $10 billion. The incident, originating from a vulnerability in the cross-chain infrastructure of Ethereum restaking protocol Kelp DAO, underscores the persistent systemic risks within the interconnected DeFi ecosystem. Aave Exploit Triggers Unprecedented Capital Flight The scale of the capital flight from Aave is unprecedented for a major blue-chip DeFi protocol. Consequently, users rapidly moved to withdraw assets, seeking safety after the weekend’s security breach. The outflow comprised a significant $4.5 billion in various stablecoins, indicating a broad-based loss of confidence rather than a flight from a single asset class. This rapid movement of funds has had an immediate and profound impact on the protocol’s internal mechanics. Specifically, the annual percentage yield (APY) for stablecoin suppliers on Aave has surged to approximately 13.4%, a direct result of the sudden scarcity of lendable assets. Meanwhile, Aave’s total value locked has plummeted from a robust $45.8 billion to $35.7 billion, representing a decline of over 22% in a matter of days. The rsETH Attack: A Cross-Chain Vulnerability The catalyst for this crisis was an exploit targeting rsETH, a liquid restaking token issued by Kelp DAO. Kelp DAO announced it had proactively suspended all rsETH contracts on the Ethereum mainnet and several Layer 2 networks after detecting suspicious cross-chain activity. Preliminary investigations suggest the attacker exploited a flaw in the token’s cross-chain messaging system, potentially minting unauthorized rsETH on one chain and bridging it to another to use as collateral on Aave. Subsequently, the attacker borrowed other high-value assets against this fraudulent collateral before the exploit was discovered. Blockchain security firms estimate the total losses from this exploit exceed $292 million, making it one of the largest DeFi hacks of the year. DeFi Security and Systemic Risk Analysis This event highlights the critical and often underestimated risks associated with complex, cross-chain DeFi composability. While individual protocols like Aave undergo rigorous audits, their security becomes interdependent when they integrate tokens from other ecosystems, like rsETH. The incident serves as a stark reminder that the security of a DeFi protocol is only as strong as the weakest link in its integrated financial stack. Furthermore, the rapid contagion effect—where a problem in a restaking protocol triggered a bank run on a leading money market—demonstrates the high degree of correlation and fragility within the sector. The table below summarizes the immediate financial impact on the Aave protocol. Metric Pre-Exploit Post-Exploit Change Total Value Locked (TVL) $45.8 Billion $35.7 Billion -22.1% Stablecoin APY ~3-5% (Variable) ~13.4% +~268% Major Outflow N/A $10.1 Billion N/A Stablecoin Outflow N/A $4.5 Billion N/A Key risk factors exposed by this event include: Cross-chain Bridge Risk: The exploit likely originated in the token’s cross-chain messaging layer, a frequent target for attackers. Collateral Integrity: Protocols must constantly verify the legitimacy of collateral assets, especially newer, complex derivatives like liquid restaking tokens. Liquidity Fragility: Deep liquidity can evaporate quickly during a crisis, leading to volatile rate swings and potential insolvency risks. Market Impact and Broader DeFi Implications The repercussions of the Aave outflow and rsETH exploit extend far beyond the two protocols directly involved. The event has injected a renewed sense of caution across the entire DeFi landscape. Investors and analysts are now scrutinizing other protocols with significant exposure to restaking derivatives or complex cross-chain assets. This scrutiny could lead to: Increased risk premiums and borrowing costs across similar money markets. A potential slowdown in the integration of novel, high-yield but complex assets like LSTs and LRTs. Stronger calls for standardized security frameworks and real-time risk monitoring for cross-chain activities. Historically, major exploits have served as catalysts for industry-wide improvements in security practices and insurance mechanisms. However, they also test user confidence, potentially slowing adoption as retail participants reassess the trade-off between yield and risk. The speed of Aave’s recovery will be a critical indicator of DeFi’s overall resilience and maturity. The Road to Recovery for Aave and Kelp DAO For Aave, the immediate path involves stabilizing the protocol, ensuring all bad debt is accounted for, and reassuring its user base. The surge in APY may eventually attract fresh capital seeking high yields, but restoring trust is paramount. For Kelp DAO, the tasks are more technical and severe: conducting a full post-mortem, identifying the exact vulnerability, securing funds to cover user losses where possible, and devising a secure path to resume operations. Their response will be closely watched as a case study in crisis management for decentralized autonomous organizations (DAOs). Conclusion The Aave exploit fallout, triggered by the rsETH hack , represents a significant stress test for decentralized finance. The staggering $10.1 billion outflow underscores how quickly confidence can erode when security fails at a key intersection point in the DeFi stack. While the sector has weathered similar storms, this event powerfully reiterates that innovation must be matched by robust, holistic security measures, especially for cross-chain financial instruments. The coming weeks will reveal whether this incident leads to a short-term setback or a fundamental reevaluation of risk management practices across the industry. FAQs Q1: What exactly was exploited in the Aave/rsETH incident? The primary vulnerability was in the cross-chain communication system of the rsETH token, issued by Kelp DAO. An attacker likely minted fraudulent rsETH on one blockchain and bridged it to another to use as collateral on Aave, allowing them to borrow legitimate assets. Q2: Did the Aave protocol itself get hacked? Current evidence suggests Aave’s core smart contracts were not directly breached. The exploit entered the system through a compromised collateral asset (rsETH) that Aave accepted, highlighting a “collateral risk” rather than a direct protocol hack. Q3: Why did stablecoin APY on Aave spike so high after the outflow? APY is algorithmically determined by supply and demand. The massive withdrawal of stablecoins ($4.5B) drastically reduced the supply available for lending. With borrowing demand remaining, the protocol’s algorithms automatically increased the yield to incentivize new suppliers to deposit stablecoins. Q4: What is rsETH, and what is liquid restaking? rsETH is a liquid restaking token (LRT). Liquid restaking allows users to deposit ETH into a protocol like Kelp DAO, which then restakes it on networks like EigenLayer to earn additional rewards. In return, users receive a token (rsETH) representing their stake, which they can use elsewhere in DeFi for extra yield—this is where the risk emerged. Q5: Are user funds still at risk on Aave following the exploit? The immediate exploit has been contained, and Kelp DAO suspended rsETH contracts. However, the overall health of the protocol depends on managing any bad debt created. Users should monitor official communications from both Aave and Kelp DAO for updates on recovery plans and any potential impacts on other assets. This post Aave Exploit Fallout: Staggering $10.1B Withdrawal After rsETH Attack Rocks DeFi first appeared on BitcoinWorld .
19 Apr 2026, 23:12
DeFi rocked as $292 million Kelp hack hits Aave and ETH

🚨 A $292 million exploit in Kelp sent shockwaves through DeFi's top lending pools. Fraudulently minted tokens in $ETH systems drained real assets from Aave. Continue Reading: DeFi rocked as $292 million Kelp hack hits Aave and ETH The post DeFi rocked as $292 million Kelp hack hits Aave and ETH appeared first on COINTURK NEWS .
19 Apr 2026, 22:27
The $292 million Kelp exploit: how it happened, and what it means for DeFi

2026 is shaping up to be DeFi's "worst year in terms of hacks," Ledger's CTO said, as the Kelp exploit shows how a single point of failure can cascade across systems.
19 Apr 2026, 20:31
KelpDAO’s $300 million exploit appears to be concentrated on Layer 2 routes

KelpDAO’s $300 million exploit now looks more like a Layer 2 failure than a direct break on the Ethereum mainnet, as fears of DeFi contagion from interactions across chains rise in the community. Sources who have been granted anonymity reached out to Cryptopolitan and said they had “confidence that Core L1 ETH is not impacted” and that the issue “sits on L2s.” The attack began after a wallet funded through Tornado Cash’s 1 ETH pool waited about ten hours, then called lzReceive on LayerZero’s EndpointV2 contract. That triggered KelpDAO’s bridge logic and released 116,500 rsETH to an attacker’s wallet. The tokens were worth about $292 million and made up roughly 18% of rsETH’s circulating supply of around 630,000. Two more packets then targeted 40,000 rsETH each, or roughly another $100 million combined, but both reverted after KelpDAO’s emergency multisig executed pauseAll. Source: ZachXBT/X If both extra attempts had worked, the total loss would have reached about $391 million, according to the sources. Attackers dump rsETH into Aave and rattle ZRO The stolen rsETH was deposited into Aave V3 as collateral, then used to borrow large amounts of ETH and WETH, with funds routed back through Tornado Cash. That raised the risk of bad debt at Aave, with estimates putting the exposure at up to $177 million. Aave then froze all rsETH markets on both V3 and V4 and said the flaw was in rsETH, not in its own contracts. SparkLend shut its rsETH market. Fluid froze activity. Upshift paused both High Growth ETH and Kelp Gain vaults. Exposure also ran through products tied to Pendle, Compound, Euler, Beefy, and Yearn. The private briefings reviewed by Cryptopolitan point in a narrower direction than the market panic first suggested. Our sources said L1 rsETH remains fully backed and that the relevant Aave market is “completely solvent.” One message said weETH is not affected, liquid vault management is operating as normal, and LiquidETH and LiquidUSD users will not face drawdowns because excess borrow costs from the Aave spike will be covered. “Out of an abundance of caution, rsETH remains frozen across Aave V3 and V4 and exposure to the incident is capped. WETH reserves also remain frozen across affected markets including Ethereum, Arbitrum, Base, Mantle, and Linea. Aave is actively validating information and assessing potential resolutions.” – Aave Early investigations said the problem was enabled by a 1-of-1 DVN setup on the Kelp rsETH Unichain to Ethereum route, which allowed unbacked tokens to be released on Ethereum without a legitimate source-side burn. Another source told us that another platform’s own LayerZero OFT bridges use a minimum 2/2 DVN setup, scale to 3 on busier routes, and include inbound and outbound rate limits. That platform still paused all LZ OFT bridges as a precaution, but also froze its Teller contract, the module handling deposits, withdrawals, and share minting. Protocols halt withdrawals and wait for liquidity According to the sources, “borrow rates on Aave have spiked and Ethereum exit queue has filled which makes delevering harder/more expensive.” Another said Kelp had not yet decided how losses would be covered or socialized and that the best case would be for losses to land only on the L2s where the exploit happened. Deposits were frozen because delayed oracle reports could create unfair share minting. Withdrawals were described as “technically not paused,” but they could not be processed without more clarity from Kelp and Aave. Mellow is now looking for windows to exit, but has not been able to do so because premiums to swap from stETH to ETH were too high and the Ethereum exit queue was clogged. Teams held back oracle updates because they did not know how to price rsETH after the losses. One source said, “We just don’t know how to price rsETH.” Another said, “0 news so far,” when asked about progress from Kelp or Aave. In one worst case, losses were estimated at around 9,000 ETH. Another estimate put a possible 6.2% hit on top-level depositors if losses reached L1 and broader backstops were not used. Separate messages said incoming protocol liquidity may arrive by Tuesday or Wednesday to help process larger withdrawals. EtherFi has told its users on X that: “EtherFi Liquid vaults are unaffected by the recent Kelp rsETH incident. Liquid vault users will not experience any drawdowns.” Meanwhile, as all this is happening, we also received knowledge that Vercel has been breached and that the attacker has listed their customers’ data, source code, databases, and keys up for sale. Source: Vercel Vercel has already announced publicly on Telegram that they “identified a security incident involving unauthorized access to their internal systems.” If you want a calmer entry point into DeFi crypto without the usual hype, start with this free video.
19 Apr 2026, 20:20
How 2026 is the year of AI agent crisis?

Nearly every major company in America has rushed to put artificial intelligence agents to work over the past year, but the technology is delivering far less than promised while creating serious new problems inside organizations, according to new research and industry experts. Almost all business leaders, 97 percent, say their companies put AI agents into operation during the past 12 months, with 52 percent of employees already using them. But fewer than three in ten are seeing any real financial benefit from the expensive technology. The gap between what companies spent and what they got back has left 54 percent of top executives saying the whole effort is tearing their organizations apart. “The biggest problem that we’re working with in AI right now” comes from companies thinking every task needs to run through costly AI systems, said Kevin McGrath, who runs AI startup Meibel. He told a Silicon Valley conference this week that businesses “just give all of your tokens and all of your money to an AI Claw bot that will just waste millions and millions of tokens.” The warnings came during two separate technology gatherings in California this week, where engineers and company leaders laid out the real problems behind the AI agent hype. A survey of 1,200 top executives and 1,200 employees conducted by WRITER found that 79 percent of companies face challenges adopting AI, a double-digit jump from 2025. This is happening even though 59 percent spend more than one million dollars each year on AI technology. Two-Thirds of companies report security breaches The security picture looks alarming. Two-thirds of executives believe their companies have already experienced data leaks or security breaches because workers used unapproved AI tools. More than one-third, 36 percent, have no formal plan for watching over their AI agents. Another 35 percent admitted they could not immediately shut down an AI agent if it went rogue. Thirty-five percent of employees have entered company secrets into public AI tools. Deep Shah, a software engineer at Google, explained that “there are multiple challenges you will find when you try to deploy that system at scale.” He pointed to costs as the first major obstacle. Running AI agents requires constant spending, and poorly designed systems end up burning cash instead of saving it. The problem goes beyond technical issues. Three-quarters of executives confessed their company’s AI strategy exists “more for show” than as actual guidance for employees. Nearly half, 48 percent, called their AI adoption efforts a “massive disappointment.” Another 39 percent lack any formal plan to drive revenue from AI tools. The pressure has gotten so intense that 73 percent of chief executives report stress or anxiety about their company’s AI strategy, with 64 percent fearing they could lose their jobs if they fail to lead the transition. Only 29 percent see real returns despite heavy use Meanwhile, a separate analysis by Lyzr AI based on 200,000 user interactions, 3,000 demo requests, and 2,000 conversations with business and tech leaders found that 62 percent of companies exploring AI agents lack a clear starting point. Another 41 percent treat them as side projects. Thirty-two percent stall after pilot programs and never reach full operation. Chris Han, who helps run ThinkingAI in China, said popular tools like OpenClaw cannot meet corporate needs. Business users need to figure out memory management, agent teams, and communications, tasks that the current tools handle poorly. Only 29 percent of organizations report significant returns from generative AI, and just 23 percent from AI agents, even though 70 percent of employees and 94 percent of top leaders use AI tools for at least 30 minutes every day. Sixty-four percent of executives spend two hours or more with the technology daily. If you're reading this, you’re already ahead. Stay there with our newsletter .









































