# DeFi Shaken by rsETH Attack *Author: Jack Inabinet* *Published: Apr 20, 2026* *Source: https://www.bankless.com/de/trapped-liquidity-7b-bank-run-freezes-cryptos-leadin-lenders-locked-in* --- As crypto continues to grapple with the latest DeFi exploit, the space is reckoning with an existential question:*** Is any DeFi application truly safe?*** Over the weekend, crypto’s premier lending marketplaces were hit by this year’s largest DeFi exploit, involving a sophisticated attacker who compromised Kelp DAO’s LayerZero-powered bridge to illicitly mint 116.5k rsETH. The newly minted (and unbacked) tokens worth approximately $290M were then deposited into Aave and other leading lending protocols, where they were used as collateral to borrow *hundreds of millions of dollars in ETH*, producing bad debt and triggering an industry-wide liquidity crisis. ## What Went Wrong? The attack unfolded rapidly in two phases, successfully exploiting weaknesses in Kelp DAO’s LayerZero-powered bridge before draining hundreds of millions of dollars from Aave via unbacked rsETH loans. ### Phase 1: LayerZero Breach Kelp DAO’s rsETH cross-chain bridge relied on LayerZero’s messaging infrastructure. Critically, Kelp DAO configured its integration with the weakest possible security model, a 1-of-1 Decentralized Verifier Network (DVN) setup. This granted a single validator node, operated by LayerZero Labs, full authority to approve cross-chain messages. While LayerZero’s incident [post-mortem](https://x.com/LayerZero_Core/status/2046081551574983137?s=20) claims it cautioned against minimal security setups and recommended multi-verifier configurations for high-value bridges, its protocol still permits 1-of-1 deployments. Further, an [estimated](https://x.com/Dune/status/2046257791321670098?s=20) 47% of protocols on LayerZero use the same configuration. > remaining layerzero 1 of 1 bridgestheoriq (base), orderly network (arbitrum, base, bsc, orderly, solana), zentry (bsc), swell network (swell, zircuit), almanak (base, bsc), anyone protocol (base, peaq), lightlink (lightlink), over the reality (peaq), river (base, bob, bsc,…— banteg (@banteg) [April 19, 2026](https://twitter.com/banteg/status/2045804597407617079?ref_src=twsrc%5Etfw) The attacker exploited this single point of failure, spoofing a valid cross-chain message to [trick](https://www.coindesk.com/business/2026/04/19/the-usd292-million-kelp-exploit-how-it-happened-and-what-it-means-for-defi) the LayerZero-operated bridge into minting 116.5k unbacked rsETH directly to attacker-controlled addresses. While Kelp DAO’s multisig froze core contracts shortly afterward, it was already too late to reverse the damage that would follow… > Lazarus Group behind $290M KelpDAO exploit!TraderTraitor poisoned the RPC infrastructure (I tend to think that it’s their internal rpc, otherwise it would he named in bold text) used by LayerZero's DVN a- DDoSing legitimate nodes to force failover onto compromised ones, then… [https://t.co/0fm8dpKYS7](https://t.co/0fm8dpKYS7) [pic.twitter.com/pDfqB7xiBp](https://t.co/pDfqB7xiBp)— Vladimir S. | Officer's Notes (@officer_secret) [April 20, 2026](https://twitter.com/officer_secret/status/2046294895313252611?ref_src=twsrc%5Etfw) ### Phase 2: Aave Drain Armed with their misappropriated tokens, the attacker then immediately deposited their rsETH to Aave V3 (and to a lesser extent, other platforms like SparkLend and Fluid). This fictitious collateral position then allowed the exploiter to borrow large amounts of WETH against their unbacked tokens, producing an [estimated](https://x.com/0xWismerhill/status/2045799453588586614?s=20) $262M+ of bad debt for Aave lenders in the transactions' wake. Instead of waiting for this bad debt to accrue against their positions, savvy DeFi lenders made a fear-motivated [rush](https://x.com/Marczeller/status/2045583631184282047?s=20) for the exits over the weekend, [draining](https://x.com/0xngmi/status/2045830559683768711?s=20) over $7B in assets from leading protocols in the exploit’s aftermath, including $6.2B from Aave, or roughly 23% of the lending market's total value locked. The panic has been so severe that utilization rates across many Aave V3 ETH, USDC, and USDT markets have spiked to 100%, effectively locking in liquidity and preventing users from making further withdrawals. > The rsETH hack is leading to withdrawals across all lending protocols, even on solana and unaffected protocols:- Aave: -6,200m (-23%) net inflows- Morpho: -716m (-9%)- Sky: -272m (-4%)- JupLend: -76m (-8%)— 0xngmi (@0xngmi) [April 19, 2026](https://twitter.com/0xngmi/status/2045830559683768711?ref_src=twsrc%5Etfw) ## **Current State of Affairs** With billions in assets now effectively trapped across crypto lending markets, risk is compounding. Depositors are unable to actively manage positions as their collateral is already on loan, meanwhile, utilization-determined interest rates are spiking, placing additional pressure on borrower positions. As liquidity evaporates and panic spreads, fears are mounting around further bad debt accumulation and broader DeFi contagion. In an effort to contain the damage, Aave governance has [disabled](https://governance.aave.com/t/rseth-incident-2026-04-18/24481) rsETH markets across V3 and V4 deployments. Still, the move comes after the fact, and the protocol must contend with its hundreds of millions in outstanding bad debt before it can leave this ugly exploit saga behind. > 🚨 I don't think people realize how bad things are at [@aave](https://twitter.com/aave?ref_src=twsrc%5Etfw) right now.All core markets are at 100% utilization, that includes $3 bil in USDT and $2 bil in USDC stuck!That means you CAN'T WITHDRAW your money! A long post on why and how we ended up here.When the rsETH… [pic.twitter.com/9V4Yzu2wou](https://t.co/9V4Yzu2wou)— Duo Nine ⚡ YCC (@duonine) [April 19, 2026](https://twitter.com/duonine/status/2045903869688135815?ref_src=twsrc%5Etfw) ## **Where to Next?** Aave’s V3 [staking module](https://app.aave.com/staking/?marketName=proto_mainnet_v3) holds $201M in stablecoins and $56M in WETH, capital that could be slashed to help absorb the rsETH-driven deficit. Beyond that, the protocol’s legacy [safety module](https://app.aave.com/safety-module/) contains an additional $266M in AAVE tokens, which could be sold to cover any remaining shortfalls. While the size of these backstops suggests Aave will be able to absorb this specific loss without going insolvent, the rsETH exploit episode raises deeper concerns about the resilience of decentralized lending markets. A shock of this magnitude could deter users from lending capital – and even more so from backstopping risk via staking/safety modules – potentially undermining confidence in the unified liquidity strategy that underlies Aave V3. Crypto economic systems were always intended to be built on resilient, trust-minimized foundations. Unfortunately, in the race toward a smoother UX or flashier feature set, some teams have taken shortcuts, introducing fragile points of failure as clearly evidenced by the breakdown of Kelp DAO’s 1-of-1 LayerZero bridge verifier. Episodes like this underscore the risks of poorly designed, quasi-centralized systems and demonstrate the immense consequences of shortcut-driven design. If crypto is to fulfill its promise, builders must abandon fragile architectures and return to security-first principles rather than relying on brittle multisigs or single-signer architectures. > Bridges have been the single biggest category of DeFi losses cumulatively.$2-3 billion in hacks since 2021.Unfortunately, much of the story of how we scaled DeFi over the past several year was through bridges.I'd estimate 35% of DeFi TVL today has some third-party… [pic.twitter.com/x4jwkuIgeJ](https://t.co/x4jwkuIgeJ)— RYAN SΞAN ADAMS - rsa.eth 🦄 (@RyanSAdams) [April 20, 2026](https://twitter.com/RyanSAdams/status/2046306759631950214?ref_src=twsrc%5Etfw) --- *This article is brought to you by [MetaMask](https://www.bankless.com/de/sponsor/metamask-1776260643?ref=trapped-liquidity-7b-bank-run-freezes-cryptos-leadin-lenders-locked-in)*