A roughly $292 million exploit over the weekend has rocked the crypto industry, exposing vulnerabilities in decentralized finance (DeFi) infrastructure and raising concerns about knock-on effects on lending protocols.
While investigations are still ongoing, early analysis suggests the attack focused on Kelp’s rsETH token, a yield-generating version of ether (ETH), and the mechanism used to move assets between blockchains.
The attacker appears to have manipulated that system to create large amounts of tokens without proper backing, and then quickly used them as collateral to borrow and drain real assets from the credit markets, primarily from Aave. the largest decentralized cryptocurrency lender.
The incident is the latest blow to DeFi, coming just a couple of weeks after the $285 million exploit of the Solana-based Drift protocol, further denting investor confidence in the nearly $90 billion crypto sector.
How the attack worked
At a high level, the exploit targeted a LayerZero bridging component, a piece of infrastructure that allows assets to move across different blockchains, Charles Guillemet, CTO at hardware wallet maker Ledger, told CoinDesk in a note.
Bridges typically work by locking assets on one chain and minting equivalent tokens on another. That process relies on a trusted entity, often called an oracle or validator, to confirm deposits.
In this case, Kelp effectively acted as that verifier. According to Guillemet, the system was based on a single signatory setup, meaning that a single entity could approve any transaction.
“It appears that the attacker was able to sign a message… which allowed him to mint a large amount of rsETH,” he said. He added that it is still unclear how that access was obtained.
Michael Egorov, founder of Curve Finance, pointed out the same weakness in the system setup.
“Things can happen when you trust only one party, whoever it is.”
That setup allowed the attacker to effectively create unbacked tokens, even though there were no corresponding assets locked on the source chain.
Once minted, the tokens were quickly deployed. The attacker “immediately deposited them into lending protocols, primarily Aave, to borrow real ETH,” Guillemet explained.
That move transformed the problem from a single exploit to a broader market issue. DeFi lending platforms are now left with collateral that may be difficult to unload, while valuable and liquid assets are already depleted.
“Aave was left with rsETH which cannot really be sold or borrowed to the maximum [sic] ETH, so no one can withdraw ETH,” said Curve’s Egorov.
As a result, Aave and other lending protocols may have hundreds of millions of dollars in questionable collateral and bad debt, he warned, raising concerns about a potential “bank run” dynamic as users rush to withdraw funds.
Aave saw a drop of around $6 billion in assets on the protocol as users withdrew their assets after the incident. The token associated with the protocol is down approximately 15% in the last 24 hours.
What we still don’t know
Key questions remain about how the validator was compromised. The system depended on the official LayerZero node, leading to uncertainty about whether it was hacked, misconfigured, or tricked.
“Was he hacked? Was he tricked? We don’t know,” Egorov said.
The identity of the attacker is also unknown, although Guillemet said the scale of the attack suggests it was a sophisticated actor.
“They’re clearly not some kids from the script,” he said.
Big blow to confidence in DeFi
Beyond the immediate losses, the episode’s exploit serves as another reminder that as DeFi becomes more interconnected, failures in one layer can quickly impact the entire system.
Egorov argued that non-isolated lending models, in which assets share risk across groups, amplify the impact of such events.
He also pointed out shortcomings in the way new assets are onboarded to lending platforms, saying settings like Kelp’s 1-of-1 verifier setup should have been pointed out sooner.
However, Egorov said there is a silver lining. “Cryptocurrency is a hostile environment that no bank would have survived; however, we are working on it,” he said. βI believe DeFi will learn from this incident and become stronger than before.β
Still, even when incidents like this lead to protocol upgrades and redesigns, they also erode investor confidence in the DeFi sector as a whole.
βIn general, trust in DeFi protocols is eroded by these types of events,β Guillemet said.
“And 2026 will probably again be the worst year in terms of hacks,” he added.
Read more: ‘DeFi is dead’: Crypto community stirs after this year’s biggest hack exposes contagion risks
