#What were the results of the recent rsETH exploit linked to Kelp DAO
The recent exploitation of rsETH, an asset associated with Kelp DAO, has raised significant concerns within the DeFi community. Aave, a decentralized finance protocol, has reported that the potential fallout from this incident could result in bad debt ranging between approximately $123.7 million and $230.1 million, contingent on how losses are ultimately addressed.
Importantly, Aave clarified that the exploit was not due to any flaws in its own smart contracts. Instead, vulnerabilities in the underlying rsETH asset were exploited. On April 18, the attacker manipulated Kelp’s LayerZero V2 Unichain to Ethereum route. They managed to release 116,500 rsETH from Kelp’s Ethereum side adapter without corresponding burns occurring on the source chain.
Following the discovery of unusual cross-chain activity, Kelp paused the rsETH contracts on the mainnet and several Layer 2 networks to conduct an investigation. This exploit is noted to be one of the largest attacks in the DeFi sector for this year, with the misappropriated rsETH being utilized as collateral on various lending platforms, including Aave.
Aave indicated that 89,567 rsETH from the attacker was later deposited in its protocol. This represented collateral backing approximately 82,650 WETH and 821 wstETH across Ethereum Core and Arbitrum. Notably, the addresses associated with the attacker exhibited health factors between 1.01 and 1.03, indicating minimal buffer if the rsETH collateral were to lose value.
In response to the incident, Aave took action on April 18 by freezing all rsETH and wrapped rsETH (wrsETH) reserves within its V3 deployments, setting the loan-to-value ratio to zero. The following days saw further adjustments to WETH interest rate models across multiple chains, and Aave froze WETH on various platforms including Core, Prime, Arbitrum, Base, Mantle, and Linea to prevent new loans and limit potential impacts on other reserves.
The governance team at Aave communicated that all pools continued to operate normally and reassured participants that the exploit was confined to rsETH rather than reflecting instability within the protocol itself.
#How would Aave manage the bad debt
Aave has outlined two possible strategies going forward to handle the resulting bad debt. In the first scenario, should the losses be shared across all rsETH holders, they predict a bad debt of around $123.7 million, with Ethereum Core absorbing the largest portion of about $91.8 million.
Alternatively, if losses are limited to Layer 2 rsETH, the estimated bad debt could escalate to $230.1 million. In this scenario, Mantle could face a 71.45% shortfall in WETH, while Arbitrum would encounter a 26.67% deficit if Ethereum Core remains unaffected.
The decisions made by Kelp DAO regarding the remaining backing will be pivotal in determining the forthcoming steps. Aave's report indicates that the only confirmed backing remaining for remote chain rsETH is 40,373 rsETH against a total of 152,577 rsETH claimed from remote chains.
Aave has recommended an immediate cessation of the WETH Umbrella module as a precaution if losses affect Ethereum Core. However, they noted that such intervention would be unnecessary if losses are contained within Layer 2 markets.
#What liquidity risks are associated with this incident
Aave’s report also pointed to liquidity challenges, revealing that WETH reserves across Ethereum, Arbitrum, Base, Linea, and Mantle were fully utilized at the report's date. This situation suggests that liquidators may need to accept aWETH, which could complicate liquidations and make the overall cleanup process more delicate if collateral values decline further.