The critical vulnerability in the KelpDAO and LayerZero bridges over the weekend exposed the decentralized finance platform Aave to a major financial risk. It was stated that Aave’s potential loss could reach 230 million dollars due to the vulnerability in the inter-chain transfer mechanism.
How was the gap in the bridge used?
According to the detailed report published by Aave Labs and LlamaRisk on the Aave management forum, the event revolves around the liquid re-staking token called rsETH. While this token issued by KelpDAO is circulated in different blockchains, the bridge system on which it works is used. The logic of the system is based on the token locked in one chain and its equivalent in the other chain.
However, in this process, the attacker managed to prepare a fake message requesting a transfer. Thus, while the tokens did not actually leave the sending chain, new rsETH could be produced by appearing to exist. With this method, 116,500 rsETH was released in Ethereum, which was supposed to be locked on the bridge.
Attacker deposited rsETH to Aave and withdrew large amounts
It was emphasized that instead of selling the resulting rsETH, the attacker put 89,567 of these assets as collateral on the Aave platform. Afterwards, a total of $190 million worth of ETH and different assets were withdrawn as debt in the Ethereum and Arbitrum networks. This move led to the creation of a collateral stock in Aave’s cash register, the real value of which is questionable.
“Within hours of the attack, we froze rsETH markets, halted lending, and reduced collateral rates on this asset to zero.”
Shortly after the incident was detected, Aave Labs announced that they had completely suspended rsETH transactions as a precaution. In addition, rapid risk management was implemented by preventing new borrowings.
How will the size of the accident be shaped?
The most significant uncertainty depends on the way KelpDAO compensates for the shortfall. If the loss is distributed equally to all rsETH holders, it is predicted that there will be a deviation of approximately 15% in the token value and a bad debt of $ 124 million on Aave. If the losses are attributed only to Layer 2 solutions, this time around 230 million dollars of bad debt will arise in networks such as Arbitrum and Mantle.
Experts stated that the incident occurred due to a vulnerability in the verification of transfer messages made by KelpDAO over the LayerZero protocol. Insufficient security controls in inter-layer messaging made it possible for the attacker to transfer real unrequited funds to the system by creating fictitious support. Although the LayerZero infrastructure was not directly targeted, the assumptions at this message layer were exposed as incorrect.
Immediately after the incident, Aave users began withdrawing significant amounts of assets. The total amount of assets locked on the platform decreased by approximately $6 billion. This rapid exit reflected a loss of confidence and risk concern in the market.
The report stated that there are assets worth $181 million in the Aave DAO treasury, and that discussions are ongoing within the ecosystem on how to compensate for the losses. KelpDAO has not yet announced a definitive plan on how the damage will be shared among users.
The latest development shows how large DeFi platforms such as Aave can be indirectly affected by vulnerabilities in external exchange and bridge infrastructures. It is emphasized that with increasing cross-chain integration, similar risks require close monitoring.
