UX Design & Webflow Agency NYC | Composite Global
All Posts

The Butterfly Effect Comes to DeFi

Share

Greg Cipolaro

April 24, 2026

Research

PDF
Download the full letter to print or read anytime
Download
PDF
Download the full letter to print or read anytime
Download

IN TODAY'S ISSUE:

  • North Korean hackers forged a transfer instruction to drain $292 million in tokens from Kelp DAO’s cross-chain bridge, deposited those tokens as collateral on Aave, and borrowed $190 million in WETH against them.
  • Many depositors cannot withdraw, and borrowers cannot be forced to repay. Aave has no loan recall mechanism, leaving lenders trapped while borrowers retain complete discretion over their positions.
  • Institutions borrowing USDC or USDT on Aave with no exposure to the hacked asset have seen their borrowing rates quadruple, because a crisis of confidence triggered a bank run that spread across the platform.
  • Aave’s dedicated bad debt reserve is insufficient to cover the estimated bad debt of $123 to $230 million, 80% of those funds are already trying to exit, and any additional coverage requires governance votes with no defined timeline and no precedent of success.
  • Investors are at the mercy of a governance system that is nominally decentralized but effectively controlled by a small number of token holders with no fiduciary obligation and misaligned, if not oppositional, incentives to depositors.
  • An industry-wide rescue effort called DeFi United has launched with pledges from Aave's founder, EtherFi, Lido, Mantle, and others, but confirmed hard commitments remain well short of the hole, and the outcome is unresolved.
  • DeFi’s advantages are real, but technical, economic, and governance risks that ripple across the ecosystem are difficult, if not impossible, to identify in advance. Every incremental layer in DeFi can add a failure surface.

Overview

On April 18, 2026, North Korean hackers exploited a security flaw in Kelp DAO, a liquid restaking protocol, draining $292 million in tokens from its LayerZero cross-chain bridge and using them as collateral to borrow approximately $190 million in WETH from Aave, the largest DeFi lending platform.

The stolen funds triggered a wave of withdrawals that froze lending pools across Aave. Borrowing rates on USDC and USDT spiked from roughly 3.5% to 14% within 48 hours and remain there. Depositors cannot withdraw. Borrowers are paying crisis-level rates on positions they opened in normal conditions.

An institution with a well-collateralized stablecoin position, borrowing against bitcoin or Ethereum with no exposure to the exploited asset, has seen its borrowing cost quadruple with no notice, no recourse, and no timeline for normalization. This happened because a crisis of confidence prompted depositors across Aave to exit regardless of their specific pool's exposure, driving utilization to 100% and spiking rates for every borrower still in those markets.

Beyond the immediate rate disruption, the governance structure has been upended at Aave. Three independent organizations responsible for risk management, technical oversight, and governance coordination all departed in the weeks before the exploit, the last of them just twelve days prior. Bad debt estimated between $123 million and $230 million exceeds what the protocol's insurance mechanisms can cover. Resolution requires governance votes among token holders with conflicting financial interests and has no defined timeline.

Five days after the exploit, Aave launched DeFi United, a coordinated industry rescue effort aimed at recapitalizing the 112,204 rsETH hole through voluntary contributions from ecosystem participants. As of April 24, confirmed hard commitments total roughly 44,000 ETH, with Mantle's proposed 30,000 ETH loan pending approval. The gap remains open.

DeFi's advantages, including efficiency, lower cost, and transparency, are real. However, every layer in a DeFi strategy adds a failure surface, and no participant in the stack, including Aave, had visibility into the risks embedded in the layers above or below them. This incident is the most concrete demonstration yet that those risks are not theoretical.

What Happened

Kelp DAO is a liquid restaking protocol. Users deposit liquid staking tokens such as stETH into Kelp, which routes them through EigenLayer and issues a receipt token called rsETH in return. That token can be used as collateral to borrow other assets on platforms like Aave.

Kelp moves rsETH between blockchains using bridge infrastructure provided by LayerZero. The attackers, attributed to North Korea’s Lazarus Group, identified a vulnerability in how Kelp’s bridge verified transfers. Kelp had configured its bridge with a single verifier as the sole checkpoint on cross-chain transfers. The attackers compromised that verifier’s data sources, fed it false information confirming a transfer that never occurred, and the bridge released 116,500 rsETH to attacker-controlled addresses. Of those, 89,567 rsETH were deposited on Aave, 53,400 on Ethereum Core, and 36,167 on Arbitrum, and used to borrow approximately 82,650 WETH ($190 million). The WETH left the protocol.

The attack required no flaw in Aave’s code, no flaw in LayerZero’s core protocol, and no flaw in Kelp’s smart contracts. It exploited a single configuration decision, Kelp’s choice to use one verifier instead of several, that Aave’s risk framework never assessed when it accepted rsETH as collateral, and that a state actor had the resources and patience to find and exploit.

Chronology of Events

  • April 18, 07:35 UTC: Attacker pre-funds six wallets via Tornado Cash, ten hours before the drain.
  • April 18, 17:35 UTC: Bridge releases 116,500 rsETH to attacker-controlled addresses. Bridge adapter balance drops from 116,723 to 223 rsETH.
  • April 18, 17:35–18:21 UTC: Attacker deposits 89,567 rsETH on Aave (Ethereum Core and Arbitrum), borrows approximately $190 million in WETH.
  • April 18, 18:21 UTC: Kelp emergency multisig pauses rsETH contracts.
  • April 18, 18:26 and 18:28 UTC: Attacker submits two follow-up forged packets. Both revert after Kelp freezes the recipient address.
  • April 18, post-18:21 UTC: Kelp executes FrozenFundsRecover, recovering 40,373 rsETH into a controlled address.
  • April 18, 18:52 UTC: Aave Guardian begins freezing rsETH across all V3 deployments.
  • April 20, ~02:00 UTC: Aave Guardian freezes WETH on Core, Prime, Arbitrum, Base, Mantle, and Linea.
  • April 21: Attacker moves 75,701 ETH (~$175M) to Ethereum mainnet; laundering via Thorchain, Umbra Cash, Chainflip toward bitcoin.
  • April 22: Arbitrum Security Council freezes 30,766 ETH (~$71M) held by the attacker on Arbitrum One.
  • April 23: Aave launches DeFi United, an industry-wide recovery initiative to recapitalize rsETH backing.

The Governance Amplifier

In January 2026, an Aave governance proposal activated e-mode for rsETH, adding WETH as a borrowable asset against rsETH collateral for the first time, at a 93% loan-to-value limit. The motivation was competitive: other liquid restaking tokens on Aave already had similar parameters, and the proposal explicitly targeted $1 billion in new rsETH inflows. No bridge risk assessment was conducted. When the attackers arrived with $292 million in stolen rsETH, that channel allowed them to borrow $93 in WETH for every $100 of stolen collateral. Some competing DeFi lending platforms have set LTVs for rsETH much lower, 72% and 75% for SparkLend and Fluid. The governance vote that created the conditions for maximum extraction passed three months before the exploit.

Kelp’s Shortfall and What It Means for Aave

Aave's loss is fixed: approximately $190 million in WETH was borrowed using stolen collateral and is gone. The question is how much can be recovered by liquidating the attacker's remaining rsETH collateral, and how much becomes unrecoverable bad debt.

The Shortfall Kelp Must Allocate

rsETH exists in two forms. Mainnet rsETH (629,689 tokens) is minted by Kelp when users deposit liquid staking tokens such as stETH, and is backed by those underlying staking deposits. It is unaffected by the exploit. Bridged rsETH consists of 152,577 IOUs outstanding on other blockchains, backed not by Kelp's staking deposits but by a reserve of mainnet rsETH locked in a bridge adapter on Ethereum.

The exploit drained that adapter from 116,723 rsETH to 223 rsETH. Kelp recovered 40,373 rsETH by freezing a second attack attempt. That is now the only backing for all 152,577 remote-chain claims, equal to roughly 26 cents per dollar of claims.

Two Scenarios, One Decision that Aave Does Not Control

Kelp faces a choice between two approaches, each producing a different outcome for Aave.

Scenario 1 — Uniform Loss Distribution

If Kelp spreads the loss across all rsETH holders on all chains, every token takes a roughly 15% haircut and retains approximately 85% of its value. Liquidators recover a meaningful portion of the missing WETH, leaving Aave with an estimated $123.7 million in unrecoverable bad debt spread across multiple chains.

Scenario 2 — Isolated Losses

If Kelp treats the loss as a problem only for remote-chain holders, mainnet rsETH retains full value. Remote-chain IOUs are worth roughly 26%, and collateral recovery is minimal. Aave faces an estimated $230.1 million in bad debt concentrated in its L2 deployments. Mantle bears the most severe impact, with 71% of its WETH lending pool becoming unrecoverable bad debt ($77.7 million), followed by Arbitrum at 27% ($88.4 million) and Base at 23% ($47.5 million). These percentages reflect how much of each chain’s WETH lending pool is wiped out relative to its size.

Kelp has not announced a formal loss allocation decision. The path to resolution has shifted: an industry-wide recovery effort called DeFi United launched on April 23 aims to recapitalize rsETH backing directly through third-party contributions. If successful, this could reduce the bad debt outcome below either scenario estimate. However, a gap remains as of this writing.

Market Impact

Ethereum fell roughly 3.7%, and the AAVE token fell 18% in the 24 hours following the exploit. Aave’s total value locked dropped over $10 billion, down 38% in ETH terms.

$10 Billion in Withdrawals in 48 Hours

Depositors pulled funds not because their own positions were exposed to the bad debt, but because the rational response to unquantified losses on a shared platform is to exit before losses are socialized. First movers got out whole. Those who moved later found their funds locked at 100% utilization. The rational behavior of each participant produced an outcome that harmed all remaining participants.

Architecture Determined the Damage

The contrast with Morpho is instructive. Morpho holds lending pools in isolated vaults rather than shared pools and had approximately $1 million in exposure to the identical asset from the identical incident. Aave had approximately $196 million. The disparity reflects a fundamental design choice.

Impact on Suppliers of Capital

Suppliers of capital to Aave face two categories of loss depending on their exposure.

WETH Depositors: Direct Losses

WETH depositors supply capital to Aave’s lending pool to earn yield, funded by the interest paid by borrowers. In normal conditions, this is a straightforward transaction: deposit WETH, earn a return, withdraw when needed. The exploit broke that arrangement. The attacker borrowed approximately 82,650 WETH from the pool using stolen rsETH as collateral. That WETH is gone. The rsETH collateral left behind is materially impaired. The positions should trigger liquidation, but cannot. At 100% pool utilization, liquidators receive locked pool receipts rather than actual WETH, eliminating the economic incentive to act. Every deposited WETH is now lent out. Depositors who cannot exit before the bad debt is formally allocated bear a proportional share of the loss. The yield they were earning was compensation for supplying liquidity to a pool that, unknown to them, was accepting collateral backed by a single-verifier bridge. They are now the unsecured creditors of loans that will not be fully repaid.

Stablecoin Depositors: Collateral Damage

Depositors in the stablecoin pools with no Ethereum exposure and no rsETH exposure face the most striking category of harm. Their situation is purely a function of the panic behavior of other depositors. As investors fled the platform, stablecoin withdrawal demand exceeded available pool liquidity, utilization hit 100%, and those depositors are now locked alongside everyone else. They made no bet on rsETH and held no exposure to it. A crisis of confidence in the platform was sufficient.

Impact on Borrowers of Capital

An institution that borrowed USDC or USDT against bitcoin or Ethereum collateral, with no rsETH anywhere in its position and no awareness of Kelp DAO, has nonetheless paid the cost of this exploit.

How a Hack in Another Protocol Quadrupled Your Borrowing Rate

As depositors withdrew and utilization rose toward 100%, Aave’s rate algorithm automatically pushed rates to their ceiling. There was no committee meeting, no decision, no call to make. The rate changes every twelve seconds.

Both pools moved from roughly 3.5% to 14% within 48 hours. The combined USDT and USDC supply fell from $7.65 billion to $3.96 billion in five days. As of writing, seven days after the exploit, both pools remain locked at approximately 14% and 100% utilization. A borrower who entered at 3.5% has been paying elevated rates for seven consecutive days with no contractual recourse and no defined resolution timeline.

Design Features That Made This Possible

No Loan Recall

Aave has no loan recall mechanism. In traditional lending, a lender can demand repayment (under certain terms), and the borrower must comply. In Aave, no participant can force another to repay. Borrowers retain complete discretion over their positions as long as their collateral maintains sufficient value. The 100% pool utilization trapping depositors could, in theory, be resolved by borrower repayments, but nothing compels repayment, and elevated rates do not create urgency for borrowers with functioning collateral positions.

Depositors Locked

Pool utilization at 100% locks supply, not demand. When utilization reaches 100%, depositors cannot withdraw because every deposited dollar is already lent out and none remains available for return. Repaying a loan remains possible because repayment adds liquidity to the pool rather than removing it. New deposits are always accepted. But existing depositors are locked until new capital enters or existing borrowers voluntarily repay. Neither is likely when the platform is perceived as carrying unresolved bad debt.

Programmatic Rate Changes

Rate changes are automatic. There is no grace period when rates change, no notification mechanism, and no protection for existing positions. An institution that modeled its borrowing cost at 3.5% and now faces 14% has no contractual recourse. The rate changed because an algorithm responded to market conditions, and that is the full extent of the explanation.

Shared Losses

When you deposit WETH into Aave, your capital joins a communal pool that funds loans to any borrower posting approved collateral, regardless of the collateral type. If any approved collateral fails, the bad debt falls on the pool, and every WETH depositor absorbs a proportional share, whether or not they had any view on that collateral. The e-mode pairing of rsETH with WETH at 93% LTV compounded this: it was a governance decision that allowed borrowers to extract $93 in WETH for every $100 of rsETH posted, concentrating the damage in the WETH pool. An institution that deposited WETH to earn yield made no decision about rsETH. A governance vote made that connection on their behalf and set the terms.

Aave’s Backstops: What Exists and What It Covers

Aave maintains two loss-absorption mechanisms. Neither was designed for an event of this magnitude.

Umbrella Insurance System

In June 2025, Aave launched Umbrella, an insurance system in which depositors voluntarily stake their deposit receipts in asset-specific vaults for a yield premium. If the corresponding market incurs bad debt, the vault is automatically slashed (balances are reduced and used to repay the bad debt). No governance vote is required.

The system has four vaults totaling $258.9 million, but they are ring-fenced. The $75.3 million USDC vault or $110.5 million USDT vault cannot cover WETH losses. The only vault applicable to this incident is the $57.3 million WETH vault, and it covers the Ethereum mainnet only.

The WETH vault faces a further problem: 80% of staked WETH had entered the 20-day cooldown to exit. Effective coverage could be substantially below $57.3 million by the time any slashing decision is made. Freezing the vault to preserve coverage requires a governance vote to then deploy it, defeating the purpose of an automatic system.

DAO Treasury

The treasury holds approximately $181 million: $62 million in Ethereum-correlated assets, $54 million in AAVE tokens, and $52 million in stablecoins. Only the $52 million stablecoin tranche is deployable without market risk or self-defeating side effects. Selling AAVE tokens to cover bad debt further depresses the token price and undermines the buyback program. A governance proposal to deploy treasury funds was posted on April 21 and has not been voted on.

Legacy Safety Module

The legacy Safety Module holds approximately $259 million in staked AAVE and and other tokens. The headline is misleading: slashing is disabled, only 20% of each position could be seized even if it were active, and slashing has never been executed in Aave’s history despite multiple prior bad debt events. The people who vote on whether to reactivate slashing are the same people who would be slashed.

The Coverage Gap

Against bad debt of $123 to $230 million: first-loss coverage is nominally $57.3 million, likely less given the exit race. Additional coverage requires governance votes with no timeline and no precedent. DeFi United has launched with confirmed contributions, but a gap still exists. Whatever is not covered falls on WETH depositors as a proportional haircut.

One additional problem: the bad debt is denominated in Ethereum, not dollars. The attacker borrowed approximately 82,650 WETH. That obligation is fixed in ETH terms. If Ethereum appreciates while governance deliberates, the dollar cost of covering the bad debt rises. Every week of delay during rising Ethereum prices makes the problem harder to solve.

Aave’s Governance: What Institutional Investors Need to Understand

Every parameter that governs your position, including the interest rate model, collateral requirements, and liquidation threshold, is set by governance vote. It can be changed at any time.

Who Actually Controls Aave

In practice, voting power is highly concentrated. Aave Labs, the founding entity, is believed to hold sufficient token concentration to influence governance outcomes. Three recent governance episodes illustrate the pattern: a December 2025 proposal defeated with 55% opposition after critics alleged Labs-aligned holdings tipped the vote; the ‘Aave Will Win’ framework that passed six days before the exploit with only 52% support under similar allegations; and three departing independent contributors who cited Aave Labs’ de facto control as a primary reason for leaving. The formal mechanism is one token, one vote. The effective reality is that a small number of actors set the parameters of your borrowing position.

An Accountability Layer Has Been Removed

Three independent organizations provided the institutional accountability layer within Aave governance. All three departed in the weeks before the exploit, the last of them just twelve days prior.

BGD Labs built and maintained Aave’s core technical infrastructure. Departed April 1, 2026, citing disagreement over the timeline for a major architectural upgrade.

Aave Chan Initiative (ACI) coordinated governance and stewarded Aave’s stablecoin from $35 million to $527 million in supply. Departed over concerns about Aave Labs’ control over governance token distribution.

Chaos Labs set every risk parameter on Aave since November 2022, across all markets and blockchains, with zero material bad debt during their tenure. Departed April 6, 2026, twelve days before the exploit, citing inadequate budget and misalignment over risk management priorities.

DeFi United: An Industry Bailout in Progress

On April 23, five days after the exploit, Aave launched DeFi United, a coordinated industry recovery initiative. Rather than relying solely on Aave’s own insurance mechanisms and governance votes, DeFi United aims to recapitalize rsETH backing directly through voluntary contributions from DeFi ecosystem participants. If the effort succeeds in closing the rsETH deficit, bad debt on Aave could be substantially reduced or eliminated.

The Hole and What Has Been Pledged

The total hole is 112,204 rsETH, representing the gap between the 152,577 rsETH in outstanding remote-chain claims and the 40,373 rsETH recovered in the bridge adapter. The table below shows the hole alongside every asset explicitly pledged or confirmed as of April 24. Amounts marked as undisclosed have been confirmed as participating but have not publicly stated a figure. The Mantle loan is proposed but not yet approved.

What this Means for Bad Debt Scenarios

DeFi United focuses on restoring rsETH backing rather than directly covering Aave’s bad debt. If the initiative fully closes the 112,204 rsETH deficit, remote-chain rsETH would be fully redeemable at par, the attacker’s collateral would regain full value, and bad debt under both scenarios could be eliminated. Partial recapitalization would produce outcomes between the two scenario estimates. As of this writing, the initiative is in progress, Kelp has not announced a formal loss allocation decision, and the outcome remains uncertain.

Parting Thoughts

DeFi lending is genuinely compelling. Rates are algorithmically efficient, markets are transparent, and for institutions that have borrowed stablecoins against bitcoin or Ethereum, the savings relative to regulated lenders have been real and meaningful. The industry-wide response to this incident, with ecosystem participants voluntarily contributing funds to make users whole, is itself notable. It does not, however, change the structural analysis.

The Kelp DAO exploit illustrates what that rate differential is compensating for: technical risks from infrastructure layers outside the protocol’s control, economic risks from algorithmic rate systems that respond to crises without institutional flexibility, governance risks from token holders with no fiduciary accountability, and systemic risks from a composability model that transmits failures across protocols in ways no participant can fully map. The USDC and USDT borrowers who saw rates quadruple had exposure to none of these risks in any direct sense.

These risks are not priced into the rate. The rate model captures utilization dynamics; it has no mechanism to price bridge configuration decisions at upstream protocols, governance votes by anonymous token holders, or the bank-run behavior of other depositors in a crisis. The risks that materialized in April 2026 were largely invisible before they crystallized, not because they were hidden, but because DeFi’s composability means that risk layers accumulate across protocols, chains, and infrastructure in ways no participant can fully track or model.

DeFi is often decentralized in name only. Governance power concentrates among a small number of insiders who hold enough tokens to set the terms for everyone else. The industry would be more honest, calling it OpenFi, one of its earliest descriptors. At least that drops the pretense of decentralization while keeping the part that is actually true.

The Kelp exploit is the most concrete demonstration yet of why DeFi lending platforms, whatever their efficiency advantages, are not suitable as primary borrowing infrastructure for institutional capital. The absence of a counterparty relationship is not a feature. It is the condition that makes every other risk in this report unmanageable when things go wrong. In regulated lending, an institution can call its lender. In DeFi, the protocol does not know who you are.

Start Reading
Start Reading

IN TODAY'S ISSUE:

  • North Korean hackers forged a transfer instruction to drain $292 million in tokens from Kelp DAO’s cross-chain bridge, deposited those tokens as collateral on Aave, and borrowed $190 million in WETH against them.
  • Many depositors cannot withdraw, and borrowers cannot be forced to repay. Aave has no loan recall mechanism, leaving lenders trapped while borrowers retain complete discretion over their positions.
  • Institutions borrowing USDC or USDT on Aave with no exposure to the hacked asset have seen their borrowing rates quadruple, because a crisis of confidence triggered a bank run that spread across the platform.
  • Aave’s dedicated bad debt reserve is insufficient to cover the estimated bad debt of $123 to $230 million, 80% of those funds are already trying to exit, and any additional coverage requires governance votes with no defined timeline and no precedent of success.
  • Investors are at the mercy of a governance system that is nominally decentralized but effectively controlled by a small number of token holders with no fiduciary obligation and misaligned, if not oppositional, incentives to depositors.
  • An industry-wide rescue effort called DeFi United has launched with pledges from Aave's founder, EtherFi, Lido, Mantle, and others, but confirmed hard commitments remain well short of the hole, and the outcome is unresolved.
  • DeFi’s advantages are real, but technical, economic, and governance risks that ripple across the ecosystem are difficult, if not impossible, to identify in advance. Every incremental layer in DeFi can add a failure surface.

Overview

On April 18, 2026, North Korean hackers exploited a security flaw in Kelp DAO, a liquid restaking protocol, draining $292 million in tokens from its LayerZero cross-chain bridge and using them as collateral to borrow approximately $190 million in WETH from Aave, the largest DeFi lending platform.

The stolen funds triggered a wave of withdrawals that froze lending pools across Aave. Borrowing rates on USDC and USDT spiked from roughly 3.5% to 14% within 48 hours and remain there. Depositors cannot withdraw. Borrowers are paying crisis-level rates on positions they opened in normal conditions.

An institution with a well-collateralized stablecoin position, borrowing against bitcoin or Ethereum with no exposure to the exploited asset, has seen its borrowing cost quadruple with no notice, no recourse, and no timeline for normalization. This happened because a crisis of confidence prompted depositors across Aave to exit regardless of their specific pool's exposure, driving utilization to 100% and spiking rates for every borrower still in those markets.

Beyond the immediate rate disruption, the governance structure has been upended at Aave. Three independent organizations responsible for risk management, technical oversight, and governance coordination all departed in the weeks before the exploit, the last of them just twelve days prior. Bad debt estimated between $123 million and $230 million exceeds what the protocol's insurance mechanisms can cover. Resolution requires governance votes among token holders with conflicting financial interests and has no defined timeline.

Five days after the exploit, Aave launched DeFi United, a coordinated industry rescue effort aimed at recapitalizing the 112,204 rsETH hole through voluntary contributions from ecosystem participants. As of April 24, confirmed hard commitments total roughly 44,000 ETH, with Mantle's proposed 30,000 ETH loan pending approval. The gap remains open.

DeFi's advantages, including efficiency, lower cost, and transparency, are real. However, every layer in a DeFi strategy adds a failure surface, and no participant in the stack, including Aave, had visibility into the risks embedded in the layers above or below them. This incident is the most concrete demonstration yet that those risks are not theoretical.

What Happened

Kelp DAO is a liquid restaking protocol. Users deposit liquid staking tokens such as stETH into Kelp, which routes them through EigenLayer and issues a receipt token called rsETH in return. That token can be used as collateral to borrow other assets on platforms like Aave.

Kelp moves rsETH between blockchains using bridge infrastructure provided by LayerZero. The attackers, attributed to North Korea’s Lazarus Group, identified a vulnerability in how Kelp’s bridge verified transfers. Kelp had configured its bridge with a single verifier as the sole checkpoint on cross-chain transfers. The attackers compromised that verifier’s data sources, fed it false information confirming a transfer that never occurred, and the bridge released 116,500 rsETH to attacker-controlled addresses. Of those, 89,567 rsETH were deposited on Aave, 53,400 on Ethereum Core, and 36,167 on Arbitrum, and used to borrow approximately 82,650 WETH ($190 million). The WETH left the protocol.

The attack required no flaw in Aave’s code, no flaw in LayerZero’s core protocol, and no flaw in Kelp’s smart contracts. It exploited a single configuration decision, Kelp’s choice to use one verifier instead of several, that Aave’s risk framework never assessed when it accepted rsETH as collateral, and that a state actor had the resources and patience to find and exploit.

Chronology of Events

  • April 18, 07:35 UTC: Attacker pre-funds six wallets via Tornado Cash, ten hours before the drain.
  • April 18, 17:35 UTC: Bridge releases 116,500 rsETH to attacker-controlled addresses. Bridge adapter balance drops from 116,723 to 223 rsETH.
  • April 18, 17:35–18:21 UTC: Attacker deposits 89,567 rsETH on Aave (Ethereum Core and Arbitrum), borrows approximately $190 million in WETH.
  • April 18, 18:21 UTC: Kelp emergency multisig pauses rsETH contracts.
  • April 18, 18:26 and 18:28 UTC: Attacker submits two follow-up forged packets. Both revert after Kelp freezes the recipient address.
  • April 18, post-18:21 UTC: Kelp executes FrozenFundsRecover, recovering 40,373 rsETH into a controlled address.
  • April 18, 18:52 UTC: Aave Guardian begins freezing rsETH across all V3 deployments.
  • April 20, ~02:00 UTC: Aave Guardian freezes WETH on Core, Prime, Arbitrum, Base, Mantle, and Linea.
  • April 21: Attacker moves 75,701 ETH (~$175M) to Ethereum mainnet; laundering via Thorchain, Umbra Cash, Chainflip toward bitcoin.
  • April 22: Arbitrum Security Council freezes 30,766 ETH (~$71M) held by the attacker on Arbitrum One.
  • April 23: Aave launches DeFi United, an industry-wide recovery initiative to recapitalize rsETH backing.

The Governance Amplifier

In January 2026, an Aave governance proposal activated e-mode for rsETH, adding WETH as a borrowable asset against rsETH collateral for the first time, at a 93% loan-to-value limit. The motivation was competitive: other liquid restaking tokens on Aave already had similar parameters, and the proposal explicitly targeted $1 billion in new rsETH inflows. No bridge risk assessment was conducted. When the attackers arrived with $292 million in stolen rsETH, that channel allowed them to borrow $93 in WETH for every $100 of stolen collateral. Some competing DeFi lending platforms have set LTVs for rsETH much lower, 72% and 75% for SparkLend and Fluid. The governance vote that created the conditions for maximum extraction passed three months before the exploit.

Kelp’s Shortfall and What It Means for Aave

Aave's loss is fixed: approximately $190 million in WETH was borrowed using stolen collateral and is gone. The question is how much can be recovered by liquidating the attacker's remaining rsETH collateral, and how much becomes unrecoverable bad debt.

The Shortfall Kelp Must Allocate

rsETH exists in two forms. Mainnet rsETH (629,689 tokens) is minted by Kelp when users deposit liquid staking tokens such as stETH, and is backed by those underlying staking deposits. It is unaffected by the exploit. Bridged rsETH consists of 152,577 IOUs outstanding on other blockchains, backed not by Kelp's staking deposits but by a reserve of mainnet rsETH locked in a bridge adapter on Ethereum.

The exploit drained that adapter from 116,723 rsETH to 223 rsETH. Kelp recovered 40,373 rsETH by freezing a second attack attempt. That is now the only backing for all 152,577 remote-chain claims, equal to roughly 26 cents per dollar of claims.

Two Scenarios, One Decision that Aave Does Not Control

Kelp faces a choice between two approaches, each producing a different outcome for Aave.

Scenario 1 — Uniform Loss Distribution

If Kelp spreads the loss across all rsETH holders on all chains, every token takes a roughly 15% haircut and retains approximately 85% of its value. Liquidators recover a meaningful portion of the missing WETH, leaving Aave with an estimated $123.7 million in unrecoverable bad debt spread across multiple chains.

Scenario 2 — Isolated Losses

If Kelp treats the loss as a problem only for remote-chain holders, mainnet rsETH retains full value. Remote-chain IOUs are worth roughly 26%, and collateral recovery is minimal. Aave faces an estimated $230.1 million in bad debt concentrated in its L2 deployments. Mantle bears the most severe impact, with 71% of its WETH lending pool becoming unrecoverable bad debt ($77.7 million), followed by Arbitrum at 27% ($88.4 million) and Base at 23% ($47.5 million). These percentages reflect how much of each chain’s WETH lending pool is wiped out relative to its size.

Kelp has not announced a formal loss allocation decision. The path to resolution has shifted: an industry-wide recovery effort called DeFi United launched on April 23 aims to recapitalize rsETH backing directly through third-party contributions. If successful, this could reduce the bad debt outcome below either scenario estimate. However, a gap remains as of this writing.

Market Impact

Ethereum fell roughly 3.7%, and the AAVE token fell 18% in the 24 hours following the exploit. Aave’s total value locked dropped over $10 billion, down 38% in ETH terms.

$10 Billion in Withdrawals in 48 Hours

Depositors pulled funds not because their own positions were exposed to the bad debt, but because the rational response to unquantified losses on a shared platform is to exit before losses are socialized. First movers got out whole. Those who moved later found their funds locked at 100% utilization. The rational behavior of each participant produced an outcome that harmed all remaining participants.

Architecture Determined the Damage

The contrast with Morpho is instructive. Morpho holds lending pools in isolated vaults rather than shared pools and had approximately $1 million in exposure to the identical asset from the identical incident. Aave had approximately $196 million. The disparity reflects a fundamental design choice.

Impact on Suppliers of Capital

Suppliers of capital to Aave face two categories of loss depending on their exposure.

WETH Depositors: Direct Losses

WETH depositors supply capital to Aave’s lending pool to earn yield, funded by the interest paid by borrowers. In normal conditions, this is a straightforward transaction: deposit WETH, earn a return, withdraw when needed. The exploit broke that arrangement. The attacker borrowed approximately 82,650 WETH from the pool using stolen rsETH as collateral. That WETH is gone. The rsETH collateral left behind is materially impaired. The positions should trigger liquidation, but cannot. At 100% pool utilization, liquidators receive locked pool receipts rather than actual WETH, eliminating the economic incentive to act. Every deposited WETH is now lent out. Depositors who cannot exit before the bad debt is formally allocated bear a proportional share of the loss. The yield they were earning was compensation for supplying liquidity to a pool that, unknown to them, was accepting collateral backed by a single-verifier bridge. They are now the unsecured creditors of loans that will not be fully repaid.

Stablecoin Depositors: Collateral Damage

Depositors in the stablecoin pools with no Ethereum exposure and no rsETH exposure face the most striking category of harm. Their situation is purely a function of the panic behavior of other depositors. As investors fled the platform, stablecoin withdrawal demand exceeded available pool liquidity, utilization hit 100%, and those depositors are now locked alongside everyone else. They made no bet on rsETH and held no exposure to it. A crisis of confidence in the platform was sufficient.

Impact on Borrowers of Capital

An institution that borrowed USDC or USDT against bitcoin or Ethereum collateral, with no rsETH anywhere in its position and no awareness of Kelp DAO, has nonetheless paid the cost of this exploit.

How a Hack in Another Protocol Quadrupled Your Borrowing Rate

As depositors withdrew and utilization rose toward 100%, Aave’s rate algorithm automatically pushed rates to their ceiling. There was no committee meeting, no decision, no call to make. The rate changes every twelve seconds.

Both pools moved from roughly 3.5% to 14% within 48 hours. The combined USDT and USDC supply fell from $7.65 billion to $3.96 billion in five days. As of writing, seven days after the exploit, both pools remain locked at approximately 14% and 100% utilization. A borrower who entered at 3.5% has been paying elevated rates for seven consecutive days with no contractual recourse and no defined resolution timeline.

Design Features That Made This Possible

No Loan Recall

Aave has no loan recall mechanism. In traditional lending, a lender can demand repayment (under certain terms), and the borrower must comply. In Aave, no participant can force another to repay. Borrowers retain complete discretion over their positions as long as their collateral maintains sufficient value. The 100% pool utilization trapping depositors could, in theory, be resolved by borrower repayments, but nothing compels repayment, and elevated rates do not create urgency for borrowers with functioning collateral positions.

Depositors Locked

Pool utilization at 100% locks supply, not demand. When utilization reaches 100%, depositors cannot withdraw because every deposited dollar is already lent out and none remains available for return. Repaying a loan remains possible because repayment adds liquidity to the pool rather than removing it. New deposits are always accepted. But existing depositors are locked until new capital enters or existing borrowers voluntarily repay. Neither is likely when the platform is perceived as carrying unresolved bad debt.

Programmatic Rate Changes

Rate changes are automatic. There is no grace period when rates change, no notification mechanism, and no protection for existing positions. An institution that modeled its borrowing cost at 3.5% and now faces 14% has no contractual recourse. The rate changed because an algorithm responded to market conditions, and that is the full extent of the explanation.

Shared Losses

When you deposit WETH into Aave, your capital joins a communal pool that funds loans to any borrower posting approved collateral, regardless of the collateral type. If any approved collateral fails, the bad debt falls on the pool, and every WETH depositor absorbs a proportional share, whether or not they had any view on that collateral. The e-mode pairing of rsETH with WETH at 93% LTV compounded this: it was a governance decision that allowed borrowers to extract $93 in WETH for every $100 of rsETH posted, concentrating the damage in the WETH pool. An institution that deposited WETH to earn yield made no decision about rsETH. A governance vote made that connection on their behalf and set the terms.

Aave’s Backstops: What Exists and What It Covers

Aave maintains two loss-absorption mechanisms. Neither was designed for an event of this magnitude.

Umbrella Insurance System

In June 2025, Aave launched Umbrella, an insurance system in which depositors voluntarily stake their deposit receipts in asset-specific vaults for a yield premium. If the corresponding market incurs bad debt, the vault is automatically slashed (balances are reduced and used to repay the bad debt). No governance vote is required.

The system has four vaults totaling $258.9 million, but they are ring-fenced. The $75.3 million USDC vault or $110.5 million USDT vault cannot cover WETH losses. The only vault applicable to this incident is the $57.3 million WETH vault, and it covers the Ethereum mainnet only.

The WETH vault faces a further problem: 80% of staked WETH had entered the 20-day cooldown to exit. Effective coverage could be substantially below $57.3 million by the time any slashing decision is made. Freezing the vault to preserve coverage requires a governance vote to then deploy it, defeating the purpose of an automatic system.

DAO Treasury

The treasury holds approximately $181 million: $62 million in Ethereum-correlated assets, $54 million in AAVE tokens, and $52 million in stablecoins. Only the $52 million stablecoin tranche is deployable without market risk or self-defeating side effects. Selling AAVE tokens to cover bad debt further depresses the token price and undermines the buyback program. A governance proposal to deploy treasury funds was posted on April 21 and has not been voted on.

Legacy Safety Module

The legacy Safety Module holds approximately $259 million in staked AAVE and and other tokens. The headline is misleading: slashing is disabled, only 20% of each position could be seized even if it were active, and slashing has never been executed in Aave’s history despite multiple prior bad debt events. The people who vote on whether to reactivate slashing are the same people who would be slashed.

The Coverage Gap

Against bad debt of $123 to $230 million: first-loss coverage is nominally $57.3 million, likely less given the exit race. Additional coverage requires governance votes with no timeline and no precedent. DeFi United has launched with confirmed contributions, but a gap still exists. Whatever is not covered falls on WETH depositors as a proportional haircut.

One additional problem: the bad debt is denominated in Ethereum, not dollars. The attacker borrowed approximately 82,650 WETH. That obligation is fixed in ETH terms. If Ethereum appreciates while governance deliberates, the dollar cost of covering the bad debt rises. Every week of delay during rising Ethereum prices makes the problem harder to solve.

Aave’s Governance: What Institutional Investors Need to Understand

Every parameter that governs your position, including the interest rate model, collateral requirements, and liquidation threshold, is set by governance vote. It can be changed at any time.

Who Actually Controls Aave

In practice, voting power is highly concentrated. Aave Labs, the founding entity, is believed to hold sufficient token concentration to influence governance outcomes. Three recent governance episodes illustrate the pattern: a December 2025 proposal defeated with 55% opposition after critics alleged Labs-aligned holdings tipped the vote; the ‘Aave Will Win’ framework that passed six days before the exploit with only 52% support under similar allegations; and three departing independent contributors who cited Aave Labs’ de facto control as a primary reason for leaving. The formal mechanism is one token, one vote. The effective reality is that a small number of actors set the parameters of your borrowing position.

An Accountability Layer Has Been Removed

Three independent organizations provided the institutional accountability layer within Aave governance. All three departed in the weeks before the exploit, the last of them just twelve days prior.

BGD Labs built and maintained Aave’s core technical infrastructure. Departed April 1, 2026, citing disagreement over the timeline for a major architectural upgrade.

Aave Chan Initiative (ACI) coordinated governance and stewarded Aave’s stablecoin from $35 million to $527 million in supply. Departed over concerns about Aave Labs’ control over governance token distribution.

Chaos Labs set every risk parameter on Aave since November 2022, across all markets and blockchains, with zero material bad debt during their tenure. Departed April 6, 2026, twelve days before the exploit, citing inadequate budget and misalignment over risk management priorities.

DeFi United: An Industry Bailout in Progress

On April 23, five days after the exploit, Aave launched DeFi United, a coordinated industry recovery initiative. Rather than relying solely on Aave’s own insurance mechanisms and governance votes, DeFi United aims to recapitalize rsETH backing directly through voluntary contributions from DeFi ecosystem participants. If the effort succeeds in closing the rsETH deficit, bad debt on Aave could be substantially reduced or eliminated.

The Hole and What Has Been Pledged

The total hole is 112,204 rsETH, representing the gap between the 152,577 rsETH in outstanding remote-chain claims and the 40,373 rsETH recovered in the bridge adapter. The table below shows the hole alongside every asset explicitly pledged or confirmed as of April 24. Amounts marked as undisclosed have been confirmed as participating but have not publicly stated a figure. The Mantle loan is proposed but not yet approved.

What this Means for Bad Debt Scenarios

DeFi United focuses on restoring rsETH backing rather than directly covering Aave’s bad debt. If the initiative fully closes the 112,204 rsETH deficit, remote-chain rsETH would be fully redeemable at par, the attacker’s collateral would regain full value, and bad debt under both scenarios could be eliminated. Partial recapitalization would produce outcomes between the two scenario estimates. As of this writing, the initiative is in progress, Kelp has not announced a formal loss allocation decision, and the outcome remains uncertain.

Parting Thoughts

DeFi lending is genuinely compelling. Rates are algorithmically efficient, markets are transparent, and for institutions that have borrowed stablecoins against bitcoin or Ethereum, the savings relative to regulated lenders have been real and meaningful. The industry-wide response to this incident, with ecosystem participants voluntarily contributing funds to make users whole, is itself notable. It does not, however, change the structural analysis.

The Kelp DAO exploit illustrates what that rate differential is compensating for: technical risks from infrastructure layers outside the protocol’s control, economic risks from algorithmic rate systems that respond to crises without institutional flexibility, governance risks from token holders with no fiduciary accountability, and systemic risks from a composability model that transmits failures across protocols in ways no participant can fully map. The USDC and USDT borrowers who saw rates quadruple had exposure to none of these risks in any direct sense.

These risks are not priced into the rate. The rate model captures utilization dynamics; it has no mechanism to price bridge configuration decisions at upstream protocols, governance votes by anonymous token holders, or the bank-run behavior of other depositors in a crisis. The risks that materialized in April 2026 were largely invisible before they crystallized, not because they were hidden, but because DeFi’s composability means that risk layers accumulate across protocols, chains, and infrastructure in ways no participant can fully track or model.

DeFi is often decentralized in name only. Governance power concentrates among a small number of insiders who hold enough tokens to set the terms for everyone else. The industry would be more honest, calling it OpenFi, one of its earliest descriptors. At least that drops the pretense of decentralization while keeping the part that is actually true.

The Kelp exploit is the most concrete demonstration yet of why DeFi lending platforms, whatever their efficiency advantages, are not suitable as primary borrowing infrastructure for institutional capital. The absence of a counterparty relationship is not a feature. It is the condition that makes every other risk in this report unmanageable when things go wrong. In regulated lending, an institution can call its lender. In DeFi, the protocol does not know who you are.

Start Reading
Start Reading

This report has been prepared solely for informational purposes and does not represent investment advice or provide an opinion regarding the fairness of any transaction to any and all parties nor does it constitute an offer, solicitation or a recommendation to buy or sell any particular security or instrument or to adopt any investment strategy. Charts and graphs provided herein are for illustrative purposes only. This report does not represent valuation judgments with respect to any financial instrument, issuer, security or sector that may be described or referenced herein and does not represent a formal or official view of New York Digital Investment Group or its affiliates (collectively NYDIG).It should not be assumed that NYDIG will make investment recommendations in the future that are consistent with the views expressed herein, or use any or all of the techniques or methods of analysis described herein. NYDIG may have positions (long or short) or engage in securities transactions that are not consistent with the information and views expressed in this report. The information provided herein is valid only for the purpose stated herein and as of the date hereof (or such other date as may be indicated herein) and no undertaking has been made to update the information, which may be superseded by subsequent market events or for other reasons. The information in this report may contain forward-looking statements regarding future events, targets or expectations. NYDIG neither assumes any duty to nor undertakes to update any forward-looking statements. There is no assurance that any forward-looking events or targets will be achieved, and actual outcomes may be significantly different from those shown herein. The information in this report, including statements concerning financial market trends, is based on current market conditions, which will fluctuate and may be superseded by subsequent market events or for other reasons. Information furnished by others, upon which all or portions of this report are based, are from sources believed to be reliable. However, NYDIG makes no representation as to the accuracy, adequacy or completeness of such information and has accepted the information without further verification. No warranty is given as to the accuracy, adequacy or completeness of such information. No responsibility is taken for changes in market conditions or laws or regulations and no obligation is assumed to revise this report to reflect changes, events or conditions that occur subsequent to the date hereof. Nothing contained herein constitutes investment, legal, tax or other advice nor is it to be relied on in making an investment or other decision. Legal advice can only be provided by legal counsel. NYDIG shall have no liability to any third party in respect of this report or any actions taken or decisions made as a consequence of the information set forth herein. By accessing this report, the recipient acknowledges its understanding and acceptance of the foregoing terms.

newsletter

Sign up for weekly research

Subscribe now to learn what’s driving bitcoin markets, track significant regulatory developments, and get the data that deserves your attention.

Featured Research & Insights

The Butterfly Effect Comes to DeFi

The Butterfly Effect Comes to DeFi

The Butterfly Effect Comes to DeFi
Research
April 24, 2026
Read Now
Bitcoin's Outperformance and the Case for a Bottom

Bitcoin's Outperformance and the Case for a Bottom

Bitcoin's Outperformance and the Case for a Bottom
Video
April 20, 2026
Bitcoin's Quiet Grind Higher, Institutional Bitcoin Goes Mainstream

Bitcoin's Quiet Grind Higher, Institutional Bitcoin Goes Mainstream

Bitcoin's Quiet Grind Higher, Institutional Bitcoin Goes Mainstream
Research
April 17, 2026
Read Now
Let's Connect

Want to learn more about NYDIG?

Please complete the contact form, and we will help you find the right person to learn more.