A weekend exploit resulting in approximately $292 million has shaken the cryptocurrency market, highlighting vulnerabilities within decentralized finance (DeFi) frameworks and sparking concerns about potential ripple effects on lending protocols. Ongoing investigations indicate that the attack focused on Kelp’s rsETH token—a yield-bearing variant of Ethereum—and its cross-chain asset transfer mechanism.
The perpetrator exploited this system to generate an excessive number of tokens without proper backing, subsequently using them as collateral to extract genuine assets from lending markets, primarily from AaveAAVE$89.96, the leading decentralized crypto lender.
This incident follows closely on the heels of a $285 million exploit targeting the Solana-based protocol Drift, further undermining investor confidence in the nearly $90 billion DeFi sector.
Charles Guillemet, CTO at Ledger, explained to CoinDesk that the attack targeted a LayerZero bridge component—a system that facilitates asset transfers across blockchains. These bridges typically operate by locking assets on one chain and issuing equivalent tokens on another, relying on an oracle or validator to verify deposits.
In this instance, Kelp acted as the verifier using a single-signer setup, allowing one entity to approve all transactions. According to Guillemet, the attacker exploited this mechanism to mint substantial amounts of rsETH, though how they obtained access remains unclear.
Michael Egorov, founder of Curve Finance, highlighted the risks associated with relying on a singular trusted party within such configurations. This setup enabled the attacker to generate unbacked tokens without corresponding assets locked in the source chain.
Once created, these tokens were quickly used as collateral in lending protocols like Aave, converting the problem from an isolated exploit into a broader market concern. DeFi lending platforms are now burdened with difficult-to-unwind collaterals and liquidated real assets.
“Aave ended up holding rsETH, which is nearly unsellable, and borrowed ETH to its limit,” Egorov noted, indicating that users were unable to withdraw their ETH.
As a consequence, Aave and similar platforms face potential exposure to hundreds of millions in questionable collateral and bad debt. This situation could trigger a ‘bank run’ as users rush to reclaim funds. Following the incident, Aave reported approximately $6 billion in asset withdrawals, with its associated token value declining by about 15% over the last trading day.
The exact method by which the validator was compromised remains uncertain, raising questions about whether it involved hacking, misconfiguration, or deception. The attacker’s identity is also unknown, though Guillemet suggested that the complexity of the attack points to a sophisticated actor.
Beyond immediate financial losses, this exploit underscores how interconnectivity within DeFi can cause failures in one area to cascade across the system. Egorov emphasized that non-isolated lending models, where assets share risk, exacerbate such impacts and highlighted issues with the onboarding processes for new assets like Kelp’s 1-of-1 verifier setup.
Despite these challenges, Egorov sees a positive aspect: “Crypto is an unforgiving environment that no traditional bank would survive—yet we are working within it. I believe DeFi will emerge stronger from this incident.” Nevertheless, such events erode trust in DeFi protocols and chip away at investor confidence.
“The trust in DeFi protocols diminishes with incidents like these,” Guillemet stated. “And 2026 may well be the worst year for hacks yet again.”
For more information, read: ‘DeFi is dead’: crypto community scrambles after this year’s biggest hack exposes contagion risks.