Aave Navigates Bad Debt Risks Following $293 Million Kelp DAO Exploit

Aave is currently managing potential bad debt after hackers exploited a LayerZero-powered bridge to steal 116,500 Kelp DAO Restaked ETH (rsETH) tokens, valued at approximately $293 million. The attackers utilized these stolen assets as collateral on Aave V3 to borrow wrapped Ether (wETH), creating a significant liquidity risk for the lending platform. LlamaRisk has modeled two primary scenarios to address the resulting bad debt, with the final resolution depending on Kelp DAO's allocation of losses. The incident has already triggered broader DeFi instability, with nearly $10 billion in value exiting Aave protocols since the exploit occurred over the weekend. In the first model, losses would be distributed across all rsETH holders on both the Ethereum mainnet and Layer 2s. This approach would result in roughly $123.7 million of bad debt on Aave and could cause rsETH to depeg by an estimated 15% relative to ETH. Aave may utilize its Umbrella security model, which currently has $43.7 million in aWETH in the unstaking cooldown phase, to mitigate these losses. The second scenario concentrates the shortfall on Layer 2 networks, specifically Arbitrum and Mantle. While this protects the mainnet, it increases the bad debt on Aave to $230.1 million. To cover such a gap, Aave could tap into its treasury, which holds approximately $181 million. Kelp DAO reported that the breach occurred after two LayerZero bridge nodes were compromised and a third suffered a DDoS attack. This allowed the attacker to forge a valid transfer message and mint the rsETH. The protocol has since paused relevant contracts and blacklisted the exploiter's wallets, preventing the theft of an additional 40,000 rsETH.