Alert: KelpDAO’s $300 Million Exploit Concentrated on Layer 2 Routes, Core Ethereum L1 Unaffected

A major security breach has struck the DeFi sector, with KelpDAO suffering a near-$300 million exploit concentrated on its Layer 2 bridge infrastructure. Anonymous sources with direct knowledge confirm the attack vector is isolated to L2 routes, stating with confidence that 'Core L1 ETH is not impacted.' The incident began when a wallet funded via Tornado Cash triggered a malicious transaction through LayerZero, releasing approximately 116,500 rsETH—worth roughly $292 million and representing 18% of the token's circulating supply—to an attacker. Two subsequent attempts to drain another $100 million were blocked after KelpDAO's emergency multisig executed a critical 'pauseAll' function.

If both extra attempts had worked, the total loss would have reached about $391 million, according to the sources.

Attackers dump rsETH into Aave and rattle ZRO

The stolen rsETH was deposited into Aave V3 as collateral, then used to borrow large amounts of ETH and WETH, with funds routed back through Tornado Cash. That raised the risk of bad debt at Aave, with estimates putting the exposure at up to $177 million.

Aave then froze all rsETH markets on both V3 and V4 and said the flaw was in rsETH, not in its own contracts. SparkLend shut its rsETH market. Fluid froze activity. Upshift paused both High Growth ETH and Kelp Gain vaults. Exposure also ran through products tied to Pendle, Compound, Euler, Beefy, and Yearn.

The private briefings reviewed by Cryptopolitan point in a narrower direction than the market panic first suggested.

Our sources said L1 rsETH remains fully backed and that the relevant Aave market is “completely solvent.” One message said weETH is not affected, liquid vault management is operating as normal, and LiquidETH and LiquidUSD users will not face drawdowns because excess borrow costs from the Aave spike will be covered.

“Out of an abundance of caution, rsETH remains frozen across Aave V3 and V4 and exposure to the incident is capped. WETH reserves also remain frozen across affected markets including Ethereum, Arbitrum, Base, Mantle, and Linea. Aave is actively validating information and assessing potential resolutions.”

– Aave

Early investigations said the problem was enabled by a 1-of-1 DVN setup on the Kelp rsETH Unichain to Ethereum route, which allowed unbacked tokens to be released on Ethereum without a legitimate source-side burn.

Another source told us that another platform’s own LayerZero OFT bridges use a minimum 2/2 DVN setup, scale to 3 on busier routes, and include inbound and outbound rate limits. That platform still paused all LZ OFT bridges as a precaution, but also froze its Teller contract, the module handling deposits, withdrawals, and share minting.

Protocols halt withdrawals and wait for liquidity

According to the sources, “borrow rates on Aave have spiked and Ethereum exit queue has filled which makes delevering harder/more expensive.” Another said Kelp had not yet decided how losses would be covered or socialized and that the best case would be for losses to land only on the L2s where the exploit happened.

Deposits were frozen because delayed oracle reports could create unfair share minting. Withdrawals were described as “technically not paused,” but they could not be processed without more clarity from Kelp and Aave.

Mellow is now looking for windows to exit, but has not been able to do so because premiums to swap from stETH to ETH were too high and the Ethereum exit queue was clogged. Teams held back oracle updates because they did not know how to price rsETH after the losses.

One source said, “We just don’t know how to price rsETH.” Another said, “0 news so far,” when asked about progress from Kelp or Aave. In one worst case, losses were estimated at around 9,000 ETH. 

Another estimate put a possible 6.2% hit on top-level depositors if losses reached L1 and broader backstops were not used. Separate messages said incoming protocol liquidity may arrive by Tuesday or Wednesday to help process larger withdrawals.

EtherFi has told its users on X that:

“EtherFi Liquid vaults are unaffected by the recent Kelp rsETH incident. Liquid vault users will not experience any drawdowns.”

Meanwhile, as all this is happening, we also received knowledge that Vercel has been breached and that the attacker has listed their customers’ data, source code, databases, and keys up for sale.

Vercel has already announced publicly on Telegram that they “identified a security incident involving unauthorized access to their internal systems.”

If you want a calmer entry point into DeFi crypto without the usual hype, start with this free video.