Executive Summary
KelpDAO’s Layerzero V2 bridge suffered a Saturday exploit that allowed an attacker to extract 116,500 rsETH from the Ethereum OFT adapter. The breach spanned both Ethereum and Arbitrum networks, left no rsETH burned on the source chain, and raised immediate concerns for Aave V3 markets that could now face bad‑debt exposure.
What Happened
On a Saturday, an unknown actor targeted the rsETH route built on KelpDAO’s Layerzero V2 bridge. By manipulating the bridge’s cross‑chain logic, the attacker diverted 116,500 rsETH from the Ethereum OFT adapter into an address they controlled.
The exploit operated across two major ecosystems: Ethereum’s mainnet and Arbitrum’s layer‑2. Despite moving a large volume of rsETH, the transaction left the source chain untouched—no rsETH tokens were burned, meaning the total supply on Ethereum remained unchanged.
The incident was documented in an incident report posted by Llamarisk on the Aave forum. The report outlines the technical steps used to breach the bridge and notes that the attack vector leveraged the Layerzero V2 messaging layer.
Background / Context
KelpDAO provides liquidity and staking services for rsETH, a tokenized representation of staked Ether. The platform relies on Layerzero V2 to enable seamless cross‑chain transfers, routing assets between Ethereum and layer‑2 solutions like Arbitrum via an OFT (Omnichain Fungible Token) adapter.
Layerzero’s architecture uses a messaging protocol to synchronize token balances across chains. In this case, the rsETH route is a critical conduit for users moving staked Ether assets between the two networks, making it a high‑value target for malicious actors.
Aave V3, one of the leading decentralized lending protocols, supports rsETH as collateral. The bridge exploit opened a potential pathway for bad‑debt accumulation, as the sudden outflow of rsETH could affect the collateralization ratios of loans backed by the token.
Reactions
The community learned of the breach through the incident report authored by Llamarisk on the Aave forum. The report provides a technical walkthrough and calls for a thorough security review of the bridge components.
KelpDAO has not released an official statement at the time of writing, and no spokesperson from Aave V3 has commented publicly on the exposure. Observers on social platforms flagged the incident as a reminder of the risks inherent in cross‑chain bridges.
What It Means
The extraction of 116,500 rsETH without burning tokens on the source chain indicates a flaw in the bridge’s state‑validation logic. For Aave V3, the incident translates into a latent risk: borrowers who used rsETH as collateral may now face under‑collateralized positions if the missing tokens cannot be recovered.
DeFi protocols that integrate rsETH or rely on Layerzero V2 messaging will likely reassess their security postures. The incident underscores the importance of rigorous audit trails for cross‑chain adapters, especially when they serve as gateways to lending platforms.
Developers and auditors are expected to scrutinize the Layerzero V2 implementation, identify the exact failure point, and deploy patches to prevent recurrence. Until remediation measures are confirmed, users may exercise caution when moving rsETH across chains.