$290M Kelp DAO Hack Jolts Ethereum and Arbitrum, AAVE Slides 18%

A major exploit tied to Kelp DAO has rattled activity on Ethereum and Arbitrum, with more than $290 million drained and DeFi lenders moving quickly to limit contagion. The attack focused on the rsETH cross-chain bridge, a key piece of infrastructure used to move liquidity across networks and support collateralized lending. The breach amplified concerns about spillover risk across interconnected protocols that rely on shared assets. Market stress showed up immediately in prices. Aave's AAVE token fell nearly 18% during the turmoil as traders reduced exposure to assets linked to the incident. On-chain investigators said the weakness was not in LayerZero's infrastructure, despite early speculation due to its role in cross-chain messaging. Researchers instead pointed to a peer-trust flaw tied to compromised source-chain keys, which allowed unauthorized access. The attacker reportedly took control of a legitimate Kelp DAO peer contract, enabling direct interaction with bridge operations and moving funds without early detection. Blockchain records also indicate the initial transactions were funded via Tornado Cash. After obtaining the assets, the exploiter avoided immediate liquidation and used a leveraged play to maintain control. The attacker deposited rsETH into lending platforms, borrowed Wrapped Ethereum against it, and expanded exposure—pulling liquidity while leaving protocols managing collateral whose value and status were uncertain. Analysts estimate the attacker now controls more than 106,000 ETH, worth close to $250 million. PeckShieldAlert said the exploiter is the #8 largest variableDebtEthWETH holder on Aave (Ethereum) with 52,443.94 units ($123M) and the #4 largest variableDebtarbWETH holder on Arbitrum with 12,381.93 units ($22M), for total holdings of 106,466.7 ETH (~$250M). The positioning increased strain across multiple venues as borrowed funds spread exposure beyond a single protocol. Aave responded by freezing all rsETH markets across its V3 and V4 deployments, disabling borrowing to curb further damage and stabilize conditions. Aave founder Stani Kulechov said core smart contracts remained secure, while the incident underscored the risks of external integrations and cross-chain dependencies. The episode highlights how quickly vulnerabilities in shared DeFi infrastructure can propagate, even when containment actions are implemented rapidly.