A roughly $292 million exploit over the weekend has rattled the crypto industry, exposing vulnerabilities in decentralized finance (DeFi) infrastructure and raising concerns about spillover effects across lending protocols.
While investigations are still ongoing, early analysis suggests the attack centered on Kelp’s rsETH token — a dividend-bearing version of ether (ETH) — and the mechanism used to move assets between blockchains.
The attacker appears to have manipulated this system to create large amounts of tokens without proper backing, then quickly used them as collateral to borrow and drain real assets from the lending markets, mostly from Aave the largest decentralized crypto lender.
The incident is the latest blow to DeFi, coming just a few weeks after Solana-based protocol Drift’s $285 million acquisition, further denting investor confidence in the nearly $90 billion crypto sector.
How the attack worked
At a high level, the exploit targeted a LayerZero bridging component — a piece of infrastructure that allows assets to move across different blockchains, Charles Guillemet, CTO of hardware wallet maker Ledger, told CoinDesk in a note.
Bridges typically work by locking assets on one chain and minting corresponding tokens on another. This process depends on a trusted entity – often called an oracle or validator – to confirm deposits.
In this case, Kelp effectively served as this verifier. According to Guillemet, the system relied on a single-signer setup, meaning only one entity could approve any transaction.
“It appears that the attacker was able to sign a message … that allowed him to mint large amounts of rsETH,” he said. He added that it is still unclear how this access was gained.
Michael Egorov, founder of Curve Finance, pointed to the same weakness in the system’s configuration.
“Things can happen when you trust a single party – whoever that might be.”
This setup allowed the attacker to effectively create unbacked tokens even though no corresponding assets were locked on the source chain.
Once minted, the tokens were quickly inserted. The attacker “immediately deposited them into lending protocols, mostly Aave to borrow real ETH against,” Guillemet explained.
That maneuver moved the problem from a single exploit to a broader market problem. DeFi lending platforms are now left with collateral that may be difficult to liquidate, while valuable and liquid assets have already been drained.
“Aave was left with rsETH, which cannot really be sold and maxed out [sic] ETH so no one can withdraw ETH,” Curves Egorov said.
As a result, Aave and other lending protocols could be sitting on hundreds of millions of dollars in questionable collateral and bad debt, he warned, raising concerns about a potential “bank run” dynamic as users rush to withdraw money.
Aave saw a drop of around $6 billion in assets on the protocol as users moved their assets after the incident. The token associated with the protocol has fallen around 15% over the past 24 hours of trading.
What we still don’t know
Important questions remain about how the validator was compromised. The system relied on LayerZero’s official node, raising uncertainty about whether it was hacked, misconfigured, or misled.
“Was it hacked? Was it tricked? We don’t know,” Egorov said.
The attacker’s identity is also unknown, although Guillemet said the scale of the attack suggests a sophisticated actor.
“It’s clearly not some script kiddies,” he said.
Big blow to confidence in DeFi
Beyond the immediate losses, the episode serves as a reminder that as DeFi becomes more connected, failures in one layer can quickly ripple across the system.
Egorov argued that non-isolated lending models, where assets share risk across pools, amplify the impact of such events.
He also pointed to shortcomings in how new assets are built into lending platforms, saying configurations like Kelp’s 1-of-1 verifier setup should have been flagged earlier.
However, Egorov said there is a silver lining. “Crypto is a harsh environment that no bank would have survived – but we are working with it,” he said. “I think DeFi will learn from this incident and become stronger than before.”
Still, while incidents like this lead to protocol upgrades and redesigns, they also erode investor confidence in the broader DeFi sector.
“Overall, trust in DeFi protocols is eroded by this kind of event,” Guillemet said.
“And 2026 will most likely be the worst year in terms of hacks again,” he added.
Read more: ‘DeFi is dead’: Crypto community reeling after year’s biggest hack exposes contagion risk
