KelpDAO Exploit Converts Fake rsETH Into Aave Bad Debt

Kelp DAO’s bridge was exploited when attackers minted falsified rsETH and used it as collateral on the Aave lending protocol to borrow wrapped ETH (WETH). By converting counterfeit tokens into borrowings on Aave, the exploit created unsecured debt for the lending platform. On April 18 the Arbitrum Security Council, working with SEAL 911, froze 30,766 ETH on the Arbitrum network and prevented those funds from moving off-chain. That freeze allowed stakeholders to recover roughly $71 million; about $220 million in assets remain missing.

Security analysts traced the flow of funds and concluded the attackers avoided large spot-market sales to reduce slippage and early detection. Instead they routed the operation through Aave, where falsely issued rsETH served as accepted collateral for WETH loans. Wenzhao Dong, a Certik analyst, noted, “A bridge vulnerability doesn’t stay isolated; it turns into a problem for lending markets. By using falsely minted rsETH as collateral on Aave to borrow WETH, the attacker changed a bridge theft into Aave bad debt.” He said using a lending market as a conversion channel shifts liquidation and repayment risk onto the protocol that accepted the collateral.

Kelp DAO thanked the Arbitrum Security Council and credited SEAL 911 for coordination that enabled the freeze. The protocol stated its priority is restoring the rsETH peg and returning value to rsETH holders. Kelp DAO is working with Aave and other partners on technical and financial steps to address the bad debt and to locate the remaining missing assets.

The council acted after receiving information from law enforcement and other investigators about the exploiter’s identity. The freeze stopped an immediate cashout but has not recovered all funds. Forensic tracing across chains and ongoing investigations continue to follow the missing assets and the addresses involved.

The response has prompted debate about emergency governance powers. Some users warned that the ability to freeze assets could undermine decentralization. Others argued that rapid intervention can protect users from sophisticated attackers. The Arbitrum Security Council stated it weighed community security and aimed to limit effects on legitimate users and applications when authorizing the freeze.

Security specialists advised projects to expand risk models to include cross-protocol contagion from bridges, oracles and lending platforms. Dong added, “DeFi security is interconnected,” and urged protocols to assess how dependencies can spread risk. Aave and other lenders face pressure to review collateral checks and liquidity assumptions to reduce exposure to counterfeit or mispriced tokens.

Kelp DAO and cooperating partners continue forensic tracing and recovery work and will pursue legal and technical avenues to track and reclaim stolen funds. The protocol and its partners are also assessing compensation or stabilization options for affected users.