rsETH incident — 2026-04-18

Why did Kelp (rsETH) get Frax-tier LTV parameters?

I am looking at the risk profile matrix for our listed assets, and I need someone from the risk service providers to explain the methodology behind the rsETH E-Mode listing.
We all know there is a massive architectural difference between a base Liquid Staking Token (LST) and a Liquid Restaking Token (LRT).
Take Frax (sfrxETH): It is a foundational LST. It has a battle-tested infrastructure, deep organic liquidity, and its only primary attack vector is standard smart contract risk. It makes sense that we offer highly capital-efficient parameters for assets in this tier.
Then we have Kelp DAO (rsETH): It is an LRT that inherently relies on layered risk. To hold rsETH, you are stacking:

• EigenLayer AVS slashing risks.

• Cross-chain bridge vulnerabilities (which we are currently paying the price for).

• Underlying LST smart contract stacking (since Kelp wraps other LSTs).

Despite Kelp having a highly elevated risk profile, it was granted a 93% LTV in E-Mode, effectively treating it with the exact same security assumptions as our safest base-layer assets.
Why are we pricing layered, systemic restaking risk as if it is a foundational base asset? If our risk models do not apply heavy LTV penalties to assets that rely on complex, third-party infrastructure and bridges, then our risk models are fundamentally broken.
Risk providers need to clarify why this was allowed to pass, and we need an immediate parameter review of all LRTs currently sitting in high-efficiency modes. Capital efficiency cannot come at the cost of protocol insolvency.

Spot on. You absolutely nailed the core argument: a 2% yield premium does not mean we signed up to underwrite an upstream, 1-of-1 DVN LayerZero bridge exploit. That is infrastructure failure, not market risk.
However, based on the latest update from the Aave X (Twitter) account, the battlefield has fundamentally shifted in our favor, provided the DAO plays by its own rules.
Aave officially stated: “According to our analysis, rsETH on Ethereum mainnet is fully backed.”
This is the most critical piece of information for everyone in this thread. Here is the reality of the situation:

1. The Bad Debt is on L2s: The bridge hack allowed the attacker to mint unbacked, fake rsETH on networks like Arbitrum and Optimism, which were then used to drain the WETH pools there.

2. Umbrella is Mainnet Only: As we know, the Umbrella module has not yet been deployed to the L2s. It acts as the first-loss capital only for the Ethereum Mainnet V3/V4 instances.

3. The Contractual Truth: If Mainnet rsETH is fully backed, there is zero mathematical bad debt on Mainnet. Therefore, the UmbrellaCore smart contracts have absolutely no legitimate trigger to execute a slash on our WETH.

Contract-wise, we are completely safe. The danger now is purely political.
Because Arbitrum doesn’t have an Umbrella module to act as a meat shield, the Aave DAO Treasury and $AAVE token holders are now entirely on the hook for that $196M L2 deficit. We need to be watching the governance proposals like hawks to ensure there are no shady backdoor deals to plunder our assets.
We must explicitly block any “Emergency Governance Override” that attempts to use Mainnet Umbrella funds to pay for an L2 crisis. We also need to pressure Kelp DAO not to “socialize” the peg drop globally, as that would artificially crash the Mainnet rsETH price and force legitimate Mainnet liquidations just to share the pain.
Code is law. Mainnet is backed. Our stakes shouldn’t be touched. Keep your guard up, because the whales looking at their L2 losses are going to get desperate.

So, in the end, the user lost all their money? AAVE has such a shady history?!

Ironically, the liquidity of the ARB market was not affected at all, but the mainnet was drained dry, which is incomprehensible.

Yes, we lost all. AAVE on harmony had maybe 20-30millions TVL, which is very few compared to the other chains, so no one cared at the end. Vote for the harmony proposal after like a year fighting got rejected and that was the end. Good luck.

who delete my post on this

Please name yourself or silent me again.

This E Mode is the direct cause of the situation right now.

What an absolute shitshow that your post got deleted. Shame what Stanicentric AAVE has become. Ggwp friends.

Nothing like that. The bad debt represents less than 4% of all ETH in Aave. So if this bad debt is socialised among ETH depositors on Aave, those depositors lose max 4%.

But even if this scenario is the way to solve the issue short term, I’m sure all ETH depositors will get a claim on the ETH that comes from Kelp to Aave from legal proceedings (which may take some time tho). Eventually, I’m pretty sure Kelp DAO will have to cover the loses.

chill with the chatgpt stuff brother

Hello,

in order to keep it clean and readable to everyone in here im deleting double posts like yours @Sanders. You already created the exact same comment on this post here. ETH price appreciation makes this bad debt crisis worse every hour, governance must move fast - #15 by Sanders

So either decide to delete the other one and move it here if you think it does better fit or we keep it like it is right now.

I get that this is a bad situation, I myself as a user am affected the same way as you are.

Thanks for understanding everyone

I have eth on lending on mainnet and coins are frozen. I thought only rsETH was impacted.

What now? Any chance we get my eth back?

Zero compensation, zero willingness to help. Frozen and removed from the UI. That’s why I suggested to do the same, just move on to the new version and abandon the problem the same way Harmony One was forgotten.

Yes because it seems nobody from the Governance it’s coming with a clear and transparent plan or what exactly is the damage. All we know are speculations while they freezed all the intact reserves. This is a shitshow. One tweet every 24 hours saying: It’s ok, but not it’s not ok. They freeze 335 million dollars for 18 million when they have 85 million in Treasury? Joke.

I get the frustration with the silence, but Aave actually knows exactly what they are doing. This freeze isn’t a joke; it’s a necessary quarantine to prevent a complete protocol death spiral.

They cannot just unfreeze the WETH market right now for two critical reasons:

1. Preventing a Bank Run: With WETH at 100% utilization, unfreezing today would cause a massive stampede of withdrawals. Borrow rates would instantly shoot to infinity, forcing the liquidation of innocent users.

2. Stopping an rsETH Liquidation Cascade: If Kelp socializes the loss and the rsETH oracle price drops, underwater borrowers (many at 93% LTV) will be slaughtered by bots. Because there is zero exit liquidity, this would create a cascading collapse.

Aave’s risk teams need this time to code and audit emergency measures—like temporarily capping borrow APYs or setting up rate-limited withdrawal queues—before they can safely open the doors. It is painful to wait, but rushing an un-audited fix would destroy the protocol.

New to the thread. We’ve been pulling Kelp’s OFT LayerZero configuration history directly from mainnet and want to share two findings that haven’t surfaced here yet, because they bear on the “what should our listing process have caught” question rather than the bad-debt socialization one.

1. Every configured Kelp source-chain route was 1-of-1 with the same DVN.

Calling ReceiveUln302.getAppUlnConfig(0x85d456…98Ef3, <eid>) on 0xc02Ab410…024C2 returns the effective ULN config for any source chain Kelp’s OFT adapter is peered with. We ran it for every configured eid — 18 source chains in total. Seventeen use requiredDVNCount = 1 with the exact same verifier 0x589dedbd617e0cbcb916a9223f4d1300c294236b — the one LayerZero’s April 20 statement identifies as compromised. The eighteenth uses a 2-of-2 configuration with that same DVN as one of the two required signers. None use the 2-of-3 redundancy LayerZero’s own integrator checklist recommends.

The Unichain route the attacker used (eid 30320) sat in the 1-of-1 bucket. The setConfig tx that installed it is 0x2d48d933…0592, from 2025-04-02 — 381 days before the drain. Any integrator reading the OFT’s ULN config at any point in that window would have seen the 1-of-1 threshold.

2. Kelp kept shipping new 1-of-1 routes after the initial listing review would have happened.

The 20 UlnConfigSet events on ULN302 against Kelp’s OFT adapter span 2024-05-16 through 2026-04-01. The most recent 1-of-1 config was installed 17 days before the hack, for a new source-chain peer. Even if a listing-time review had caught the state-as-of-onboarding, config drift continued after. A re-review trigger tied to new peer additions would have re-surfaced this.

Why this bears on the process debate

The current thread is rightly focused on where the bad debt lands. We’d add an orthogonal point: the question “was this reviewable at listing time?” has a clear answer — yes, via a public on-chain read that takes seconds. The data was visible for 381 days before it was weaponized. That makes this less “could we have known” and more “what process would have triggered us to look.”

A concrete suggestion that doesn’t depend on the socialization outcome: cross-chain collateral risk review should treat the issuing bridge’s DVN configuration as a first-class listing parameter alongside LTV, supply cap, and oracle source. A listing proposal for an OFT-minted asset that doesn’t document the current ULN config across all source routes should fail the gate. A parameter change for an already-listed OFT asset (LTV bump, supply cap raise) should trigger a re-read, since the bridge’s config may have changed since the last review. That’s a process gate, not a new risk model.

Full forensic writeup with all the contract addresses, tx hashes, and the exact reproduction path is here. Happy to walk through any of the on-chain methodology in-thread.

You can check who are the moderators of the forum and draw your conclusions…

Thank you so much for this incredibly detailed and eye-opening assessment!
The fact that a 1-of-1 DVN configuration was sitting in plain sight for 381 days proves this wasn’t an unpredictable black swan—it was a glaring failure in infrastructure monitoring by the risk providers.
Regarding your suggestion to make bridge configurations a first-class listing parameter and enforce continuous reviews: with an AI agent, those checks should be easy to implement. We could easily automate a monitor that queries the ReceiveUln302 contract and instantly flags the Risk Stewards the moment an issuer pushes a 1-of-1 route.

If your stuck holding aUSDC on ETH mainnet and are in search of an exit strategy…
(To be clear, I do believe Aave will pull through)

We lost billions in TVL this weekend, and the vast majority of that capital fled directly from Ethereum Mainnet. Let that sink in. The Kelp DAO exploit was fundamentally an L2 bridge failure, yet the panic is draining our $13B+ core business because the DAO is failing to aggressively control the narrative.
Whales aren’t pulling nine-figure stablecoin and WETH positions because Mainnet is mathematically compromised. They are pulling their capital because of the ambiguity. They are terrified that Aave will quietly socialize the Arbitrum deficit onto Mainnet, or use the Mainnet Treasury and Umbrella module to bail out L2 risks.
To save Aave, leadership needs to step up and release a definitive, unambiguous statement right now: THERE IS NO PROBLEM ON MAINNET.
We need it repeated, and we need a hard, governance-backed guarantee.

1. Mainnet is Ring-Fenced: It must be made explicitly clear that Mainnet rsETH markets and Mainnet Umbrella stakers are 100% isolated from the L2 contagion.

2. No Backdoor Bailouts: A guarantee that Mainnet liquidity and insurance funds will not be plundered to cover the $196M L2 hole.

You protect the $13 billion fortress first. Arbitrum is a $600M market for us. If we let this silence persist while debating how to handle the L2 bad debt, the Mainnet bank run will simply continue until the protocol is a shell of itself.
The tweet saying Mainnet was “fully backed” was too weak and left too many doors open. Draw a hard line in the sand today: Mainnet is safe, Mainnet is guaranteed, and L2 risks stay on the L2s.

L2 ETH suppliers: you are not stuck. I just got out at near fair value.

Here is how it worked out for me

If you are a pure ETH supplier with no debt and want a chance to exit:

Step 1. Find your aWETH tokens in your wallet

When you supplied ETH to Aave you received aWETH receipt tokens in your wallet. They are still there and still tradeable on secondary markets even though the Aave pool is frozen.

Step 2. Go to app.cow.fi and place a limit order

Swap aWETH to WETH or USDC. Set your limit price at or close to current fair ETH market price. Set expiry to 6 days. CowSwap has automatic MEV protection built in will keep you safer, in a distressed market like this, sandwich attacks by bots are very likely on other DEXs. Do not use instant swaps! Slippage was between 50% and 100% all day yesterday and you are an easy target for bots when swapping a distressed asset.

Step 3. Wait

My order filled in roughly one hour. I received all the WETH supplied with less than 20 dollars slippage per ETH. The panic pricing of yesterday is fading as the situation clarifies. Buyers are returning. Patience beats panic selling at 60% loss.

I think this works best for smaller positions in the 1 to 10 ETH range where CowSwap solvers can find enough liquidity. Larger positions may see wider slippage. Good luck to everyone still waiting. Glad I’m out.