Decentralized lending (DeFi) platform Aave published two scenarios under which a security exploit in a DeFi system could occur. Risk analysts are discussing two possible outcomes based on how the losses are to be allocated, where Kelp DAO reimburses or resolves the issue in scenario A or Aave absorbs the loss in Scenario B.
How did they exploit the bridge?
The issue arose on Saturday, when hackers looted 116,500 Kelp DAO restaked ETH (rsETH) tokens worth $293 million. The theft happened through a bridge operated by LayerZero.
Hackers stole a large amount of tokenized Ethereum and used it as fake “security” to take out real crypto loans on Aave V3 built on Ethereum. Instead of cashing out, the attacker deposited 89,567 rsETH into Aave as collateral and borrowed roughly $190 million in ETH and other assets across Ethereum and Arbitrum, according to reports.
Now, the big uncertainty is whether that debt gets repaid or becomes a loss for the wider Aave ecosystem, highlighting how tightly connected and fragile DeFi systems can be when something breaks.
Kelp DAO has since paused relevant contracts across Ethereum and its layer 2 networks and blacklisted wallets tied to the attacker to stop any additional attempted movement of roughly 40,000 rsETH.
The project said it is still assessing the full financial impact and working with Aave, LayerZero, and other stakeholders to determine how to move ahead.
Two scenarios for loss allocation and systemic impact
LlamaRisk has modeled two potential outcomes for how the resulting bad debt could be handled within Aave’s ecosystem.
In the first scenario, losses would be distributed across all rsETH holders on the Ethereum mainnet and layer 2 networks. In simple terms, to distribute the loss of $120 million,
Under this approach, Aave would face an estimated $123.7 million in bad debt, while rsETH could see a potential 15% depeg relative to ETH.
According to LlamaRisk, this approach would spread losses more thinly across chains, while wrapped Ethereum (wETH) would absorb the majority of exposure, “absorbing the bulk in absolute terms but barely noticing it relative to its reserve depth”, thanks to its deep liquidity pool.
Aave could also potentially use its umbrella security model to absorb part of the wETH losses. Around 18,922 Aave Wrapped ETH (aWETH), worth approximately $43.7 million, is currently in the ‘unstake cooldown phase’ as per reports.
The second scenario places the full burden of the shortfall on Ethereum layer 2 networks such as Arbitrum and Mantle. This could take Aave’s bad debt to $230.1 million. However, Aave reportedly holds around $181 million in treasury reserves that could be deployed to help offset some of this loss.
Users await decision
Kelp DAO has not yet confirmed how losses will ultimately be allocated as they continue to evaluate options to safely unpause the protocol. The decision is expected to play an important role in determining whether the impact remains isolated or spreads more broadly across DeFi lending markets.
“We will share further updates as we have them,” Aave wrote on the X post.
The incident adds to growing concerns over bridge security in decentralized finance, where a single exploit can impact many through lending protocols, liquidity markets, and collateral systems. Some users took sides by comparing which scenario seemed more oblivious.
Aave later updated with a post stating their partially unfrozen wETH on the Ethereum Core V3 market, the largest version on Ethereum. This means users can supply wETH to core V3 again.
However, the team still works on cleaning up the mess from the hack. The case is another core example of how a bridge hack can impact the entire DeFi. The Hyperbridge incident, reported earlier this month, is another clear example of a bridge compromise, very similar to the LayerZero exploit in the Kelp rsETH case.
