TechFlow News: On April 21, Aave’s risk service provider LlamaRisk released an incident report stating that on April 18, 2026, an attacker exploited a vulnerability in Kelp’s LayerZero V2 Unichain-to-Ethereum rsETH routing (a misconfiguration in the 1-of-1 DVN setup), forged inbound packets, and illicitly released 116,500 rsETH from the Ethereum-side adapter. Of this amount, 89,567 rsETH were deposited as collateral into multiple Aave V3 markets—including those on Ethereum Core and Arbitrum—enabling the borrowing of approximately 82,650 WETH (valued at roughly $191 million) and 821 wstETH.
Currently, only 40,373 rsETH remain in the adapter, while the total claimable rsETH on the remote chain stands at 152,577—creating a substantial shortfall. Depending on the loss allocation methodology adopted, Aave faces two potential bad-debt scenarios: Scenario One (global pro-rata allocation) projects ~$123.7 million in bad debt, with Ethereum Core bearing the greatest pressure; Scenario Two (loss confined to L2 chains) projects ~$230.1 million in bad debt, with Mantle facing a WETH reserve shortfall of up to 71.45% and Arbitrum facing a 26.67% shortfall.
Following the incident, Aave Protocol Guardians and Risk Administrators immediately froze rsETH/wrsETH reserves across all 11 affected markets and set their Loan-to-Value (LTV) ratios to zero. Additionally, they reduced multi-chain WETH interest rates and suspended WETH lending. Importantly, Aave’s smart contracts themselves were not compromised, and protocol logic continues operating normally. The Aave DAO Treasury currently holds approximately $181 million in assets, providing some capacity to absorb losses; relevant ecosystem participants have also extended preliminary support commitments. The final resolution plan will depend on Kelp’s official decision regarding loss allocation.
