KelpDAO Exploit Post-Mortem

Context

‍

On April 18, 2026, KelpDAO’s rsETH bridge infrastructure was exploited through its OFT setup based on LayerZero and had about 116,500 rsETH fraudulently released from the bridge. The attacker did not dump the tokens directly. Instead, they used the stolen rsETH as collateral on some DeFi lending protocols (most notably, Aave), to borrow real ETH liquidity. By the end of the exploit, the attacker walked away with about $292 million. 

‍

But you knew this already. What I’d like to unbox here is how protocols, funds and curators reacted in order to preserve their balance sheet. 

‍

Cascading effects

‍

The first X post after the exploit came at 7:41PM UTC.

‍

‍

Not long after, more news broke that Aave has been affected too. Aave’s shared pool architecture, which in times of ‘peace’ contributes to the protocol’s capital-efficiency, became its biggest vulnerability. The protocol was left carrying potential bad debt exposure across its lending pools. 

‍

As the news spread, depositors moved quickly to withdraw WETH liquidity. 

‍

‍

The WETH market, amongst others, reached 100% utilization, leaving no remaining free liquidity for withdrawals and effectively trapping depositors who didn’t withdraw their WETH fast enough.  

‍

How curators/protocols/asset managers responded

‍

The exploit was an unfortunate opportunity for protocols, funds and curators to put their mitigation mechanisms to the test. 

Yuzu had zero direct rsETH exposure. But the secondary effects pushed several underlying strategies into negative carry. The final reconciled drawdown by April 24 came to $168,167.83 and that entire loss was allocated to the junior tranche, yzPP. Junior NAV moved from $1.1376 to $1.0902 per unit, a 4.17% haircut. Senior holders (yzUSD, syzUSD) were unaffected; their yield distributions during the affected week were funded entirely by the Reserve Fund. Redemptions resumed immediately after the slashing event. The architecture worked as advertised, including the junior tier taking on the risk it had been paid to provide all along.

Avant runs a senior/junior tranche structure (savAssets, avAssetX) on top of a per-asset Reserve Fund. The Reserve Fund is capitalized by protocol fees and secured in MPC wallets, sitting as the explicit first-loss layer for third-party platform exploits that ripple back through Avant's positions. The KelpDAO incident was exactly that scenario. Avant paused its LayerZero OFT bridges from Movement as a precaution while the team assessed exposure. Neither senior nor junior depositors were touched as the Reserve Fund absorbed the hit.

Lido's EarnETH vault took a similar approach with a smaller buffer. EarnETH had about 9% direct exposure to rsETH, around $21.6 million of vault TVL. The Lido DAO activated a $3M first-loss protection mechanism, structured to burn the DAO's own vault shares before any realized loss reached EarnETH depositors. 

EtherFi's Liquid vaults did the same kind of internalization at the protocol level, committing publicly that vault users would not see drawdowns, despite elevated borrow costs on Aave.

Ethena had zero rsETH exposure. The team released an updated proof of reserves earlier than scheduled, holding the line at 101.2% USDe overcollateralization.  Then it paused its LayerZero OFT bridges from Ethereum mainnet for sometime to check for the root-cause of the exploit, then allowed for bridging to continue once the check was completed Users could still mint, redeem, and stake USDe on mainnet. 

Midas paused all mToken minting and redemptions on April 18 as a precaution, even though its smart contracts were unaffected and it carried no rsETH exposure. Services resumed gradually on April 19 once the root cause was clearer. RockawayX did the same for its RWA exposure, confirming zero rsETH exposure across its Kamino and Morpho vaults. 

Lastly, while Aave has always had a safety module for similar situations, this particular exploit involved a fake mint to mainnet that created some confusion on whether the rsETH OFT losses would be covered under the reserve fund. In the end, the industry came together through DeFi United, and a voluntary pool of funds was raised to plug the gap including an Aave DAO proposal that includes 25,000 ETH. 

Take Aways

‍

The exploit shocked the DeFi community, but also brought it together. It also proved that internal mitigation mechanisms actually work. Funds that came through this exploit clean had pre-funded loss-absorption built into their architecture before they needed it. These exist precisely because exploits and liquidity crises are not "if" events in DeFi, they're "when" events; which leads to the second point. 

‍

More importantly, swift communication and accounting transparency in times of crises has been critical in maintaining investor confidence.  Having a near-real-time,fully traceable Balance Sheet, P&L and NAV is becoming table stakes, which is exactly why we’re building PennyWorks. 

‍

Closing Thoughts

Crisis tends to separate the prepared from the improvising. Treasury mechanisms and reserve funds matter, but they only work if the books behind them do too. That's why it is essential that  fund managers start to lean on a trusted third party to compute NAV in near real time, giving themselves and their LPs the inputs to make decisions without delay.

‍