Executive Summary
Within the past 48 hours, a coordinated exploit of the KelpDAO rsETH bridge erased roughly $13 billion of total value locked across DeFi protocols. The attacker leveraged a 1‑of‑1 bridge configuration that relied exclusively on LayerZero Labs as the verifier, siphoning 116,500 rsETH from the Ethereum mainnet escrow. The stolen assets were immediately collateralised on Aave, Compound and Euler, generating an estimated $236 million in borrowed WETH and wstETH. In response, the community‑run emergency desk DeFi United raised more than 69,550 ETH from 222 wallets to fund a recapitalisation plan that now covers over 92 % of the remaining shortfall.
What Happened
The rsETH bridge, a core component of the KelpDAO ecosystem, was designed to move synthetic staked ETH (rsETH) between LayerZero‑anchored L2s and the Ethereum mainnet. By design, the bridge trusted a single validator network operated by LayerZero Labs. Hackers discovered an RPC‑poisoning flaw in this infrastructure and used it to forge verification messages, allowing them to withdraw 116,500 rsETH from the mainnet escrow without triggering any on‑chain alarms.
Immediately after the theft, the stolen rsETH was deposited as collateral on three major lending platforms—Aave, Compound and Euler. Leveraging the high collateral value, the attacker borrowed roughly $236 million in wrapped ETH (WETH) and wrapped staked ETH (wstETH). The sudden surge in borrowing drove WETH utilisation to 100 % and pushed USDT/USDC liquidity pools to full capacity as users scrambled to exit positions.
The ripple effect was stark: DeFi’s total value locked dropped by about $13 billion, and Aave alone saw its TVL shrink by $8.45 billion. The incident highlighted the fragility of single‑point‑of‑trust bridge designs and sparked an urgent call for coordinated remediation.
Background / Context
rsETH is a synthetic representation of staked ETH that enables users to earn staking rewards while retaining liquidity on other chains. KelpDAO’s bridge was among the first to rely on LayerZero’s decentralized validator network for cross‑chain message verification. While LayerZero promotes a trust‑minimized model, the bridge’s configuration left no fallback verifier, creating a single‑point‑of‑trust vulnerability.
LayerZero described the breach as an RPC‑poisoning attack on the infrastructure supporting its validator network, stopping short of labeling it a protocol‑level flaw. The incident therefore raises broader questions about how much risk can be placed on a single verification layer in a highly composable DeFi ecosystem.
DeFi United, the emergency recapitalisation desk that sprang up after the hack, operates without any regulatory or statutory mandate. Its purpose is to marshal community resources quickly to plug funding gaps that threaten the stability of multiple protocols.
Reactions
Across the ecosystem, the response was swift and coordinated. DeFi United launched a fundraising drive that attracted 222 distinct wallets, resulting in 1,623 transfers and a total of 69,550 ETH pledged. The Arbitrum Security Council froze 30,766 ETH, while KelpDAO itself locked up an additional 43,168 ETH. Aave’s governance submitted a proposal that quantified the original rsETH shortfall at roughly 163,183 ETH.
Several major participants announced pending contributions. Mantle pledged 30,000 ETH, Aave DAO 25,000 ETH, and Stani Kulechov, founder of Aave, signaled a 5,000 ETH commitment. EtherFi, Lido, Golem Foundation, Emilio Frangella, and BGD Labs + Ernesto also listed sizable pledges, bringing the total pending vote contributions to 14,570 ETH.
Material participants such as LayerZero, Ethena, Ink Foundation and Frax Finance confirmed they would contribute, though exact amounts remain undisclosed. The collective effort has already frozen or recovered more than 86 % of the targeted 116,500 ETH, according to a broader tracker snapshot.
What It Means
The hack underscores the systemic risk inherent in bridge designs that rely on a single verification source. While the immediate financial damage was absorbed through a massive community‑driven recapitalisation, the episode may accelerate a shift toward multi‑verifier or proof‑of‑stake models for cross‑chain messaging.
For lenders, the incident demonstrates how quickly collateral can be liquidated across protocols, amplifying contagion risk. Aave’s near‑total utilisation of WETH and the full utilisation of stablecoin pools illustrate the speed at which capital can evaporate when confidence erodes.
The successful mobilisation of over 69,000 ETH by DeFi United also highlights the growing capacity of decentralized governance structures to act as rapid response units. However, the fact that an estimated 5,632 ETH remains uncovered points to the limits of ad‑hoc funding and may prompt discussions on formal insurance mechanisms or dedicated safety funds.
What Happens Next
Protocol governance bodies are now reviewing the bridge’s architecture. Aave’s proposal to formally recognise the shortfall and allocate treasury assets is pending a vote. LayerZero has pledged to audit its validator network and explore redundancy solutions to prevent future RPC‑poisoning attacks.
DeFi United’s contribution covers roughly 92.5 % of the residual funding gap, leaving a small uncovered portion that may be addressed through additional community pledges or by reallocating frozen assets. The Arbitrum Security Council’s freeze of 30,766 ETH is expected to be reviewed in the coming weeks, potentially unlocking more capital for restitution.
Finally, the broader DeFi community is expected to engage in a series of round‑tables and working groups aimed at redefining bridge security standards. The outcome of these discussions could shape the next generation of cross‑chain infrastructure, balancing composability with resilience.