Kelp DAO $292M Exploit Triggers DeFi Bank Run
The $292M exploit of Kelp DAO's rsETH token due to a cross-chain verification flaw sparked panic across DeFi, with Aave's TVL plunging $6.4B and AAVE token falling 18% as depositors rushed to withdraw, highlighting systemic contagion risks.
Quick Take
Attacker tricked cross-chain bridge into minting 116,500 rsETH worth $292M
Single signature verification point enabled the exploit, not a LayerZero bug
Panic withdrawals hit Aave, Morpho, Sky, jupLend; Aave TVL dropped 23%
Calls for stronger security floors in modular DeFi design intensify
Market Impact Analysis
BearishA major exploit triggering a full-on bank run erodes confidence in DeFi, likely causing sell-offs, further withdrawals, and potential regulatory scrutiny.
Speculation Analysis
Key Takeaways
- Attacker forged a cross-chain message to mint 116,500 rsETH worth $292M.
- Single verification point in Kelp DAO’s bridge allowed the exploit, not a LayerZero bug.
- Panic withdrawals hit Aave, Morpho, Sky, and jupLend; Aave TVL sank 23%.
- Calls intensify for mandatory security floors in modular DeFi design.
What Happened
Kelp DAO, a liquid restaking protocol, was exploited for $292 million when an attacker manipulated its cross-chain messaging. The breach triggered panic across DeFi lending markets. Depositors rushed to exit positions on Aave, Morpho, Sky, and jupLend, fearing contagion. Aave alone saw $6.4 billion in outflows, a 23% TVL drop, while its token plunged 18%. The exploit did not compromise Aave’s contracts, but the fear-driven bank run underscored systemic vulnerability.
The Numbers
The attacker minted 116,500 rsETH tokens—roughly 18% of the supply—by forging a single cross-chain message. Aave’s TVL cratered from $26.4 billion to around $20 billion within hours. The AAVE token fell more than 18% during the weekend panic. Other protocols like Morpho and Sky also recorded significant outflows, though exact figures remain fluid.
Why It Happened
A critical configuration flaw enabled the exploit. Kelp DAO’s cross-chain bridge relied on a single verification point, allowing the attacker to forge a valid message without breaking smart contracts. The verification layer accepted one signature to release funds, a design choice that lacked a security floor. Developers argue that modular DeFi systems often allow projects to set dangerously low security parameters, akin to letting amusement parks decide their own safety standards.
Broader Impact
The incident exposes a structural weakness in cross-chain messaging. If protocols can configure minimal verification layers, entire lending ecosystems become vulnerable to single-point failures. This may accelerate calls for mandated security standards in modular DeFi frameworks. Regulators could also scrutinize similar designs, while insurers and risk managers reassess coverage for liquid restaking tokens.
What to Watch Next
- Aave deposit flows: Monitor whether TVL stabilizes or further withdrawals signal prolonged stress.
- Protocol responses: Watch for Kelp DAO’s recovery plan and any compensation proposals.
- Security standard debates: Track developer discussions on mandatory DVN configurations and security floors.
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
