If losses are spread across KelpDAO users, that’s an 18.5% haircut, leaving a $76M gap that Aave can cover by selling assets or taking debt.
The $293 million KelpDAO hack on April 18 has left Aave, rsETH holders, and the wider DeFi ecosystem staring at a hole nobody quite knows how to fill.
But on Sunday, DeFiLlama co-founder 0xngmi laid out three realistic options on the table and ran the numbers on each.
Three Scenarios, None of Them Clean
0xngmi’s first option is to spread the pain. According to them, if KelpDAO socializes losses across all users, it would work out to an 18.5% haircut. There are some 666,000 rsETH sitting across Aave deployments, and most mainnet positions are looped close to the maximum loan-to-value ratio (LTV), so 0xngmi’s model assumes they are essentially at liquidation.
Wiping out all equity in those positions leaves roughly $216 million in bad debt, and Aave’s Umbrella ETH coverage would absorb $55 million of that, while the protocol’s treasury could cover another $85 million, which would leave a gap of about $76 million. To close it, 0xngmi suggested that Aave could either take out a loan or liquidate its AAVE treasury tokens. That stash is currently worth around $51 million.
Option two is much uglier, as it would mean “rugging” rsETH holders on layer 2 chains. This would leave Aave with $359 million of rsETH supply, and assuming it was all looped at maximum LTV, it would create $341 million of bad debt across lending markets. But since Umbrella covers none of it, 0xngmi said Aave would have to pick which markets to salvage and which to abandon, with Arbitrum, Mantle, and Base most likely to suffer the biggest losses.
The third option, while most technically appealing, could be the hardest to pull off. It involves going back to a pre-hack snapshot and trying to make only the direct victims whole. This would mean paying back the $124 million the hacker is said to have taken from Aave and another $18 million from Arbitrum. But the problem is that, since the hack, the money has moved around a lot across pooled protocols, making it difficult to cleanly separate one depositor’s funds from another.
OneKey founder Yishi also pushed for a fourth path that sits outside 0xngmi’s framework: negotiate with the hacker first, offering them a 10% to 15% bounty, and try to get most of the money back before any of the harder decisions need to be made. If that fails, Yishi argued that LayerZero’s ecosystem fund should carry most of the bill, given its resources and long-term interest in preserving the OFT ecosystem.
You may also like:
-
DeFi TVL Plummets Across Top Chains After KelpDAO Hack
-
The Biggest Hack of 2026: What We Know About the $294M KelpDAO Exploit
-
Circle CEO Blames ‘Moral Quandary’ for Not Acting on $280M Drift Exploit
How $293M Left in Two Transactions
Cyvers founder Meir Dolev reconstructed the on-chain timeline for the KelpDAO attack, and it moves fast. The attacker’s wallet was funded through Tornado Cash about 10 hours before anything happened. Then, at 17:35 UTC on April 18, two transactions occurred: commitVerification on LayerZero’s ReceiveUIn302, followed 24 seconds later by IzReceive on EndpointV2. That second transaction drained 116,500 rsETH, valued at about $293.5 million, in one shot.
KelpDAO’s multisig responded at 18:23 UTC by blacklisting the attacker’s recipient address on rsETH, and it worked. A second attempt, 3 minutes later, which would have taken another 40,000 rsETH worth around $100 million, hit the blacklist and reverted.
According to Dolev, the root cause was quite simple: KelpDAO’s Unichain-to-Ethereum bridge required only one DVN attestation to release funds. Forging that one verification allowed the hacker to move $293 million.
LayerZero also published its own statement attributing the attack to Lazarus Group’s TraderTraitor unit. The company said the protocol worked as designed and also pointed directly at KelpDAO’s 1-of-1 DVN configuration as the cause, noting it had previously recommended multi-DVN setups to all integration partners.
Security researcher Andy was blunter, calling KelpDAO’s decision to run a single DVN while holding $1.5 billion in user funds “extremely irresponsible” and warning that dozens of other protocols are running the exact same setup right now.
Binance Free $600 (CryptoPotato Exclusive): Use this link to register a new account and receive $600 exclusive welcome offer on Binance (full details).
LIMITED OFFER for CryptoPotato readers at Bybit: Use this link to register and open a $500 FREE position on any coin!
