The rsETH/Kelp Incident (April 18, 2026)
What happened: The Kelp DAO rsETH LayerZero bridge was exploited for ~116,500 rsETH (~$292M). The attacker drained rsETH through a bridge vulnerability, creating a material backing shortfall — rsETH could no longer be redeemed 1:1 for its underlying ETH.
Contagion path through Aave:
- rsETH loses peg → positions collateralized by rsETH become undercollateralized
- Liquidators can’t profitably liquidate because rsETH’s market price diverges from oracle price
- Aave risk stewards freeze rsETH markets across all deployments within hours
- Borrowing rate spikes across ETH lending markets as leveraged positions attempt to unwind simultaneously
- Protocols with rsETH exposure through Aave (Lido EarnETH: $21.6M, 9% of vault TVL) absorb secondary losses
- Lido activates $3M first-loss buffer; proposes additional 2,500 stETH (~$5.8M) conditional contribution
Current recovery status:
- Arbitrum Security Council recovered ~$70M in ETH
- TokenLogic published [ARFC] rsETH Incident Funding Update proposing Aave DAO financial assistance
- Multiple parties coordinating: Kelp, LayerZero, Aave, Lido, Arbitrum Security Council
- rsETH markets remain frozen pending resolution
Bad debt exposure on Aave: TBD — depends on the final recovery amount, rsETH peg restoration, and whether the coordinated relief package (Aave DAO contribution + Lido stETH + Kelp/LayerZero recoveries) fully closes the deficit.
Prior Bad Debt Precedent #1: CRV/Eisenberg Incident (November 2022)
**What happened:** Avraham Eisenberg — who had previously exploited Mango Markets for $114M — attempted a CRV market manipulation attack using Aave V2. He accumulated a massive CRV borrowing position (~$47M) against USDC collateral on Aave V2 Ethereum, then attempted to short-squeeze CRV by creating artificial buying pressure.
How it generated bad debt:
- Eisenberg borrowed CRV against concentrated USDC positions
- CRV price moved against his position
- When liquidation triggered, the position was too large relative to available CRV liquidity
- Liquidators couldn’t profitably clear the position at market prices
- Aave V2 absorbed approximately **$1.6M in bad debt** from the residual shortfall
What changed because of it:
- Gauntlet and Chaos Labs recommended tighter supply caps across all markets
- LTV reductions for long-tail assets with thin liquidity
- Direct acceleration of V3’s isolated markets architecture and risk parameter framework
- Established the precedent that concentrated single-asset borrowing positions are the primary bad debt attack vector on lending protocols
- Aave eventually sued Eisenberg (who was later arrested and convicted for the Mango Markets exploit)
On-chain reference: The bad debt was recorded in Aave V2’s accounting on Ethereum mainnet. The Gauntlet post-mortem is available on this forum.
Prior Bad Debt Precedent #2: Multi-chain Bridge Collapse and Frozen Asset Bad Debts (2023)
What happened: When Multichain’s bridge infrastructure collapsed in July 2023, assets bridged through Multichain (including bridge-wrapped tokens on various L1s/L2s) became irredeemable. Several of these assets were listed as collateral or borrowable assets on Aave V2 deployments across chains.
How it generated bad debt:
- Bridge-wrapped tokens lost their backing when Multichain ceased operations
- Positions collateralized by affected tokens became permanently undercollateralized
- Since the tokens couldn’t be redeemed for their underlying assets, the positions couldn’t be unwound at par
- Combined with the Harmony bridge hack (June 2022) which affected bridged assets on Aave V3 Harmony, multiple pockets of stranded bad debt accumulated across non-Ethereum deployments
What changed because of it:
- Accelerated V3’s deployment of supply/borrow caps per asset
- Established bridge risk as a first-class consideration in asset listing decisions
- Led to the deprecation of Aave V2 markets on chains with compromised bridge infrastructure
- Risk stewards gained explicit freeze authority for third-party asset incidents
- The Asset Listing Committee now evaluates bridge dependency as a core risk factor
The Pattern Across All Three
Every bad debt event on Aave follows the same architecture:
External shock (market manipulation, bridge exploit, derivative depeg) → collateral impairment faster than liquidation can clear → residual bad debt absorbed by the protocol
The variable is scale and contagion speed:
| Incident |
Year |
Bad Debt |
Root Cause |
Contagion Path |
| CRV/Eisenberg |
2022 |
~$1.6M |
Market manipulation |
Single-asset, single-market |
| Multichain/Bridge |
2023 |
Scattered pockets |
Bridge collapse |
Cross-chain, multi-market |
| rsETH/Kelp |
2026 |
TBD |
Bridge exploit |
Cross-protocol, multi-market, derivative cascade |
The attack surface has expanded: from a single manipulated position (CRV) to a cross-chain bridge failure (Multichain) to a derivative cascade that propagated through four separate protocols in under 24 hours (Kelp → LayerZero → Aave → Lido). Each incident is more interconnected than the last.
What’s improved since 2022:
- V3 isolated markets, supply/borrow caps, E-mode — all direct CRV-incident responses
- Umbrella safety module with asset-specific slashing
- Real-time risk steward monitoring with freeze authority (Chaos Labs, LlamaRisk)
- rsETH freeze executed within hours, not days — significantly faster than CRV-era response
What hasn’t changed:
- Collateral derivative concentration remains the primary contagion channel
- A single derivative losing backing can propagate bad debt through every protocol that accepts it as collateral simultaneously
- The DAO still responds to bad debt events with ad hoc coordination rather than a pre-defined playbook
My recommendation:
Formalize the incident response framework. Aave has now handled three generations of bad debt events, each larger in contagion scope than the last. The risk stewards and community have demonstrated they can coordinate effectively under pressure — the rsETH response was fast and well-executed. But the response process shouldn’t require improvisation each time.
Document the decision tree: when to freeze, when to activate Umbrella, when to propose DAO funding, what thresholds trigger each action. The next incident will be faster and more interconnected than this one.
— Robby Greenfield | Author, TOKEDEX: The Tokenomic Bible