A major security incident has rocked the DeFi sector, with losses now estimated at approximately $293 million. The exploit originated from a vulnerability in the rsETH bridge operated by liquid staking protocol KelpDAO. On-chain data reveals that a single user had over $280 million in assets stolen from various DeFi protocols operating on the Ethereum and Arbitrum networks.
The attacker's addresses were funded through the privacy tool Tornado Cash, a common method for obfuscating the source of funds in such exploits. In response to the escalating crisis, leading lending protocol Aave took swift emergency action. Its multisig guardian mechanism was activated to freeze all rsETH holdings within its lending markets on both Aave V3 and the newer Aave V4.
"This step was taken following an attack on the KelpDAO’s rsETH bridge," Aave stated officially. The protocol clarified that its own smart contracts were not directly compromised, placing the source of the vulnerability squarely on the rsETH side. The freeze temporarily suspends all new deposit and borrowing transactions using rsETH as collateral.
The primary motive for Aave's intervention is to contain the fallout and assess potential "bad debt"—uncollectible debt that may have been created on its platform following the exploit. The Aave team is conducting a thorough review of all rsETH borrowing activity that occurred post-attack and has pledged to share its findings publicly. The protocol also indicated it is evaluating various options to cover any resulting bad debt should it materialize.
