KelpDAO Exploit Leaves Aave Exposed to rsETH Bad Debt

The KelpDAO exploit spilled into Aave after the attacker used rsETH as collateral to borrow ETH, turning a bridge incident into lending-market bad-debt exposure tied to collateral quality, liquidity depth, and governance-approved leverage paths rather than a direct exploit of Aave itself.

KelpDAO said on April 18, 2026 that it had identified suspicious cross-chain activity involving rsETH and paused rsETH contracts across Ethereum mainnet and several L2s while it investigated. Aave later said its own contracts were not exploited and that rsETH markets were frozen to stop new deposits and new borrowing against the asset.

How the KelpDAO Exploit Moved From Bridge Risk Into Aave

Etherscan transaction 0x1ae232da212c45f35c1525f851e4c41d529bf18af862d9ce9fd40bf709db4222 shows the exploit-linked transfer moving from KernelDAO: Bridge through LayerZero EndpointV2 into an attacker-linked address, which is the on-chain handoff connecting the bridge incident to downstream lending activity.

The transaction record shows 116,500 rsETH leaving KernelDAO: Bridge for the attacker-linked wallet at 17:35:35 UTC on April 18, 2026. That transfer matters because it supplied the collateral base later used to pull ETH liquidity out of Aave.

The route into borrowed ETH was not accidental. Aave's November 2025 governance proposal explicitly enabled rsETH collateral to borrow WETH inside the rsETH LST E-Mode, with a 93% max LTV, a 95% liquidation threshold, and a 1.0% liquidation bonus.

Aave's March 2026 V4 activation proposal extended the same design into a dedicated Kelp Spoke, again pairing rsETH as collateral with wETH debt. In plain language, the exploit could be turned into ETH borrowing because Aave had already governance-approved that collateral path before the incident.

Why Borrowed ETH Can Turn Into Aave Bad Debt

In DeFi lending, bad debt appears when the borrowed asset cannot be fully recovered after collateral loses enough value or becomes too illiquid to sell. Aave's April 9, 2026 liquidity-at-risk post had already mapped that vulnerability for rsETH.

That Aave risk post showed $332M of collateral at risk against only $5M of DEX available liquidity under an LST depeg scenario, with a modeled $326M shortfall even after a 1% liquidation bonus. Those figures explain why borrowing ETH against rsETH was structurally dangerous once the collateral came under exploit pressure.

Aave's incident statement said rsETH markets on V3 and V4 were frozen and emphasized that Aave contracts were not exploited. That distinction matters for lenders because the threat is insolvency from impaired collateral recovery, not a bug that drained the lending pool directly.

The governance trail makes the spillover hard to dismiss as a black-swan edge case. The November 2025 E-Mode change, the March 2026 Kelp Spoke activation, and the April 9 risk warning all show that rsETH-to-wETH leverage was both intentional and previously flagged.

What DeFi Users Are Watching After the Freeze

For rsETH holders, KelpDAO's cross-chain pause puts bridge integrity, redemption assumptions, and secondary-market depth at the center of the story. For Aave users, the relevant question is how much borrowed ETH can ultimately be recovered once frozen markets reopen and liquidation paths are tested against real liquidity.

The same liquidity mismatch that Aave flagged, $332M of collateral at risk versus $5M of available DEX depth, is why this incident now reads as a protocol-design problem as much as a bridge exploit. That is also why DeFi readers following Coinbase Ventures Shifts Capital to Tokenization, DeFi, and AI are likely to treat collateral quality and governance settings as part of the same institutional-adoption conversation.

There is also a market-structure lesson for newer entrants coming from products like Charles Schwab's retail crypto spot trading rollout: spot access and DeFi lending are different risk surfaces. Here, the important evidence is that Aave's own freeze notice addressed collateral contagion, while Kelp's incident update addressed the origin of the bridge event.

Near term, users are watching three concrete checkpoints: Kelp's technical root-cause findings, Aave governance around the frozen rsETH markets, and whether spot liquidity improves enough to narrow the gap between $332M of at-risk collateral and $5M of DEX liquidity. Until those inputs change, the clearest takeaway from the available data is that cross-protocol leverage can turn a bridge exploit into lending-market bad debt even when the lending protocol itself was not hacked.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.