KelpDAO’s $300 million exploit appears to be concentrated on Layer 2 routes

KelpDAO’s $300 million exploit now looks more like a Layer 2 failure than a direct break on the Ethereum mainnet, as fears of DeFi contagion from interactions across chains rise in the community.

Sources who have been granted anonymity reached out to Cryptopolitan and said they had “confidence that Core L1 ETH is not impacted” and that the issue “sits on L2s.”

The attack began after a wallet funded through Tornado Cash’s 1 ETH pool waited about ten hours, then called lzReceive on LayerZero’s EndpointV2 contract. That triggered KelpDAO’s bridge logic and released 116,500 rsETH to an attacker’s wallet.

The tokens were worth about $292 million and made up roughly 18% of rsETH’s circulating supply of around 630,000. Two more packets then targeted 40,000 rsETH each, or roughly another $100 million combined, but both reverted after KelpDAO’s emergency multisig executed pauseAll.

If both extra attempts had worked, the total loss would have reached about $391 million, according to the sources.

Attackers dump rsETH into Aave and rattle ZRO

The stolen rsETH was deposited into Aave V3 as collateral, then used to borrow large amounts of ETH and WETH, with funds routed back through Tornado Cash. That raised the risk of bad debt at Aave, with estimates putting the exposure at up to $177 million.

Aave then froze all rsETH markets on both V3 and V4 and said the flaw was in rsETH, not in its own contracts. SparkLend shut its rsETH market. Fluid froze activity. Upshift paused both High Growth ETH and Kelp Gain vaults. Exposure also ran through products tied to Pendle, Compound, Euler, Beefy, and Yearn.

The private briefings reviewed by Cryptopolitan point in a narrower direction than the market panic first suggested.

Our sources said L1 rsETH remains fully backed and that the relevant Aave market is “completely solvent.” One message said weETH is not affected, liquid vault management is operating as normal, and LiquidETH and LiquidUSD users will not face drawdowns because excess borrow costs from the Aave spike will be covered.

“Out of an abundance of caution, rsETH remains frozen across Aave V3 and V4 and exposure to the incident is capped. WETH reserves also remain frozen across affected markets including Ethereum, Arbitrum, Base, Mantle, and Linea. Aave is actively validating information and assessing potential resolutions.”

– Aave

Early investigations said the problem was enabled by a 1-of-1 DVN setup on the Kelp rsETH Unichain to Ethereum route, which allowed unbacked tokens to be released on Ethereum without a legitimate source-side burn.

Another source told us that another platform’s own LayerZero OFT bridges use a minimum 2/2 DVN setup, scale to 3 on busier routes, and include inbound and outbound rate limits. That platform still paused all LZ OFT bridges as a precaution, but also froze its Teller contract, the module handling deposits, withdrawals, and share minting.

Protocols halt withdrawals and wait for liquidity

According to the sources, “borrow rates on Aave have spiked and Ethereum exit queue has filled which makes delevering harder/more expensive.” Another said Kelp had not yet decided how losses would be covered or socialized and that the best case would be for losses to land only on the L2s where the exploit happened.

Deposits were frozen because delayed oracle reports could create unfair share minting. Withdrawals were described as “technically not paused,” but they could not be processed without more clarity from Kelp and Aave.

Mellow is now looking for windows to exit, but has not been able to do so because premiums to swap from stETH to ETH were too high and the Ethereum exit queue was clogged. Teams held back oracle updates because they did not know how to price rsETH after the losses.

One source said, “We just don’t know how to price rsETH.” Another said, “0 news so far,” when asked about progress from Kelp or Aave. In one worst case, losses were estimated at around 9,000 ETH. 

Another estimate put a possible 6.2% hit on top-level depositors if losses reached L1 and broader backstops were not used. Separate messages said incoming protocol liquidity may arrive by Tuesday or Wednesday to help process larger withdrawals.

EtherFi has told its users on X that:

“EtherFi Liquid vaults are unaffected by the recent Kelp rsETH incident. Liquid vault users will not experience any drawdowns.”

Meanwhile, as all this is happening, we also received knowledge that Vercel has been breached and that the attacker has listed their customers’ data, source code, databases, and keys up for sale.

Vercel has already announced publicly on Telegram that they “identified a security incident involving unauthorized access to their internal systems.”

If you want a calmer entry point into DeFi crypto without the usual hype, start with this free video.