A roughly $292 million exploit over the weekend shook the crypto industry, exposing vulnerabilities in decentralized finance (DeFi) infrastructure and raising concerns about ripple effects on lending protocols.
Although investigations are still ongoing, initial analysis suggests the attack was centered on Kelp’s rsETH token – a profitable version of ether (ETH) – and the mechanism used to move assets between blockchains.
The attacker appears to have manipulated this system to create large quantities of tokens without proper backing, then quickly used them as collateral to borrow and drain real assets from lending markets, primarily from Aave. the largest decentralized crypto lender.
The incident is the latest blow to DeFi, coming just weeks after Solana-based Drift Protocol’s $285 million mining operation, further shaking investor confidence in the nearly $90 billion crypto industry.
How the attack worked
At a high level, the exploit targeted a LayerZero bridge component – a piece of infrastructure that allows assets to move between different blockchains, Charles Guillemet, CTO of hardware wallet maker Ledger, told CoinDesk in a note.
Bridges typically work by locking assets on one chain and minting equivalent tokens on another. This process depends on a trusted entity – often called an oracle or validator – to confirm deposits.
In this case, Kelp effectively acted as auditor. According to Guillemet, the system relied on a single-signer setup, meaning only one entity could approve any transaction.
“It appears the attacker was able to sign a message… allowing them to mint a large amount of rsETH,” he said. He added that it remains unclear how this access was obtained.
Michael Egorov, founder of Curve Finance, pointed out the same weakness in the system setup.
“Things can happen when you trust only one party, no matter what it is.”
This setup allowed the attacker to effectively create unbacked tokens, even though no corresponding assets were locked on the source chain.
Once issued, the tokens were quickly deployed. The attacker “immediately deposited them into lending protocols, primarily Aave, to borrow real ETH,” Guillemet explained.
This maneuver moved the problem from a single exploit to a broader market problem. DeFi lending platforms now hold collateral that can be difficult to unwind, while valuable and liquid assets are already depleted.
“Aave ended up with rsETH that can’t really be sold or borrowed to the fullest [sic] ETH, so no one can withdraw ETH,” said Curve’s Egorov.
As a result, Aave and other lending protocols could rely on hundreds of millions of dollars in questionable collateral and bad debt, he warned, raising concerns about a potential “bank run” dynamic as users rush to withdraw funds.
Aave saw a drop of around $6 billion in assets on the protocol as users withdrew their assets following the incident. The token associated with the protocol is down approximately 15% in the last 24 hours of trading.
What we still don’t know
Key questions remain about how the validator was compromised. The system relied on the official LayerZero node, raising uncertainty over whether it had been hacked, misconfigured, or misled.
“Was it hacked? Was it cheated? We don’t know,” Egorov said.
The identity of the attacker is also unknown, although Guillemet said the scale of the attack suggests a sophisticated actor.
“It’s clearly not screenwriters,” he said.
Hard blow to trust in DeFi
Beyond the immediate losses, the episode’s feat also serves as a reminder that as DeFi becomes increasingly interconnected, failures in one layer can quickly ripple throughout the entire system.
Egorov argued that non-insulated lending models, in which assets share risks across pools, amplify the impact of such events.
He also highlighted gaps in how new assets are integrated into lending platforms, saying setups like Kelp’s 1-on-1 checker setup should have been flagged earlier.
However, Egorov said there was a positive side. “Crypto is a challenging environment that no bank would have survived – and yet we are working with it,” he said. “I think DeFi will learn from this incident and become stronger than before.”
Yet even as incidents like this lead to protocol upgrades and overhauls, they also shake investor confidence in the broader DeFi sector.
“Overall, trust in DeFi protocols is eroded by this kind of event,” Guillemet said.
“And 2026 will most likely once again be the worst year in terms of piracy,” he added.
Read more: ‘DeFi is dead’: Crypto community struggles after this year’s biggest hack reveals contagion risks
