Kelp DAO Bridge Exploit: Aave Outflows Post-Mortem

Frequently Asked Questions

01.What caused the nine-billion-dollar outflow from Aave in April 2026?

An attacker compromised a 1-of-1 LayerZero DVN verifier serving Kelp DAO's rsETH bridge on April 18 2026, minted 116,500 unbacked rsETH, deposited the stolen tokens on Aave V3 as collateral, and borrowed real WETH. Depositor panic then drained roughly eight-and-a-half billion dollars over 48 hours according to DeFiLlama.

02.How does isolated market design reduce bad debt cascade risk?

Isolated markets in Morpho Blue and Euler V2 Vault Kit pin each oracle, interest rate model, and liquidation threshold to a single collateral pairing, so a depeg in one asset cannot force losses onto suppliers of unrelated reserves. Morpho reported approximately one million dollars of exposure to the Kelp incident, compared with roughly one hundred and ninety-six million dollars of bad debt concentrated in Aave's rsETH and WETH pool.

03.Which EU regulations apply to a DeFi bridge exploit of this scale?

Article 68 of Regulation (EU) 2023/1114 (MiCA) requires crypto asset service providers to meet the ICT resilience standards of Regulation (EU) 2022/2554 (DORA). Under DORA Article 19 an authorised CASP in the European Union must report a major ICT-related incident to the competent authority without undue delay, and must inform clients when the incident affects their financial interests.