Hello darkness my old friend…
Once again this will be a bit of a different Yields of the Week writeup.
I’ll talk about:
What Happened
The Official Responses
Possible Resolutions
Some Thoughts On DeFi And Where DeFi Dad and Myself Store Our Crypto Onchain
How Much Have We Lost To Hacks?
What Needs To Happen Going Forward?
At this point, we’re not even getting the lifespan of a well-fed Thanksgiving turkey. Maybe the Turkeys don’t have it so bad after all.
So far, neither myself nor DeFi Dad have been directly affected by this latest exploit. But events like this ripple across all of DeFi, given the size and players involved.
If you read on, we break down where we keep our onchain funds and how we’re thinking about it right now.
Chances are many of you reading this have been impacted. If you have, I know how awful and helpless it can feel. I’ve been caught up in similar situations before, and it’s not easy to move past.
I’m always aware of the risks and take ownership of the fact that we’re operating on the frontier of finance. But lately, it does feel like things have accelerated.
I still believe DeFi will come out stronger from this, or at least I hope it will.
If you’re already following this closely, much of this will be familiar. But if not, let’s walk through what happened.
What Happened?
On Saturday around 17:35 UTC, an attacker exploited a weakness in KelpDAO’s cross-chain bridge, which runs on LayerZero.
With a single crafted message, they convinced the bridge to release roughly 116,500 rsETH, about $290M, to their wallet. The key detail is that nothing was deposited on the other side. The system treated the message as valid and effectively minted the rsETH out of thin air.
The attacker then moved that rsETH to Aave, where it had been approved as collateral. From there, they borrowed real WETH against it and exited.
Aave itself wasn’t exploited. Its contracts worked exactly as designed. The issue was the assumption that rsETH behaved like ETH collateral. In this case, that assumption broke.
Now Aave is left holding roughly $190M+ in bad debt tied to collateral that was never actually backed.
The fallout was immediate. Aave’s TVL dropped sharply, falling from around $26B to closer to $20B within a day. The AAVE token sold off hard, down roughly 30%, and broader DeFi saw billions in TVL pulled as users rushed to de-risk.
What’s most concerning is that this kind of scenario wasn’t entirely unexpected:
What’s remarkable, is that traders on Trueo had already priced the odds of another $100M exploit in 2026 at 70% before the KelpDAO incident.
Forecasters believed there was a significant chance that crypto would see another major exploit.
The Official Responses
It felt like an eternity waiting for official comms from the three main parties involved: LayerZero, KelpDAO, and Aave.
Some of the initial responses were pretty underwhelming, clearly shaped by legal teams. I get why, but there are real user funds frozen and potentially lost here.
As of writing this, we’ve seen official statements from LayerZero and KelpDAO, but nothing final from Aave yet (more on that below). The most thorough update so far has come from Llamarisk, Aave’s primary risk curator, and it was actually very well done.
Aave seems to be in a bit of a holding pattern until KelpDAO decides how they’re going to handle things.
Here’s what’s been said so far:
LayerZero:
Honestly, this TLDR is fairly accurate after reading this report from LayerZero:
What Kelp Said:
What Aave/Llamarisk has said:
The Llamarisk report was strong, and it lays out two possible paths from here:
Essentially socialization of losses
Let the L2s take the hit
Since I started writing this, the Aave team has unfrozen WETH on the Ethereum Core V3 market:
However, the damage has already been done. Roughly ~$11B has exited DeFi’s largest blue chip protocol, with Aave’s TVL dropping from ~$26B to ~$15B in just three days:
On Arbitrum, they took matters into their own hands and enacted a never before used L2 policy, bringing in the security council to claw back funds.
They were able to recover roughly $71M from the attacker (likely DPRK/Lazarus).
The method itself is fascinating, and this wasn’t a decision taken lightly. But it will inevitably spark debate and raise a bigger question: under what conditions would something like this happen again?
At least a meaningful portion of the funds has been recovered, but now it’s up to Arbitrum governance to decide what happens next.
Technically, governance could vote to return the funds to the attacker (😂), but that feels extremely unlikely.
As mentioned, much of this situation still hinges on what Kelp decides to do, but I’m not sure Aave can afford to wait. I have a few ideas on how they might respond.
| NEWSLETTER CONTINUES BELOW |
Thanks to our sponsors for making it possible to share this content for FREE!
Possible Resolutions
I think it’s very possible we see an outcome here similar to what happened with Drift.
As a reminder, Tether stepped in and effectively provided a bailout to stabilize things, with some built-in incentives on their side:
There are also clear incentives for other major players to step in. For example, Kraken’s “DeFi Earn” product is powered by Aave, and both Mantle and Base still have exposure through bad debt:
And literally as I’m writing this, Mantle has signaled they’re stepping up as well:
And let’s not forget, Mantle is structurally aligned with Bybit, which handled a major hack scenario well back in early 2025.
On top of that, Aave has its own treasury, and some of it could be used to help absorb the damage, especially the ~$33.7M in stablecoins.
Another path is a large VC, or a group of them, stepping in with a capital injection on favorable terms to help repair the damage.
We’ve seen this playbook before. With the Resolv exploit, Fluid moved quickly to make users whole, even though the Resolv side still hasn’t reached a resolution. That’s worth noting, because Kelp could take time as well. Aave is in a similar position here, just at a much larger scale.
It’s also possible we see a combination of approaches. Some external capital steps in, Aave taps its treasury, and key ecosystem players help stabilize things.
And with tokens there’s also the option for some out of the box thinking like this:
There are a lot of possible paths forward.
The challenge is timing. If Aave acts before Kelp makes a decision, it risks losing leverage. Right now, there’s still meaningful social pressure on Kelp to respond.
But there’s a trade-off. If confidence in Aave erodes too far, waiting may not be an option. At that point, there’s less left to protect.
Some Thoughts On DeFi And Where DeFi Dad And Myself Store Our Crypto Onchain
Here’s a few words from DeFi Dad:
Being an investor who’s doing interviews and due diligence out in public like we do on The Edge Podcast, there’s unsaid pressure to rush to conclusions, give hot takes, provide value through your own analysis of complex events in motion like the Resolv hack and this L0-rsETH attack. Although, L0 is the source of all this pain (despite it being an attack by bad actors) and second to that, is Kelp’s incredibly poor decision to use this 1/1 DVN setup, Aave has the most to lose—the largest amount of capital and users at risk. They clearly understand they have a duty to handle this situation carefully and take action to minimize any further damage.
For years, I’ve personally considered Aave the benchmark for near risk-free yield. Look at your favorite DeFi protocols and all the new up-and-coming projects. Many auto-allocate idle deposits to Aave V3, whether it was stablecoins or ETH waiting to be deployed into a strategy. To be absolutely clear, I have never believed Aave would experience such a turn of events. I knew it was possible. I considered it. I have been at times in disagreement with a number of collaterals listed, but I have had immense trust in their expertise to evaluate collateral before listing.
Right now, I consider myself lucky. I migrated an ETH-backed Aave V3 debt position into Fluid about 6-12 months ago. Fluid is newer code so I never assumed it was relatively safer than Aave V3 but I was drawn to a number of new features—more capital efficient liqudiations, higher LTVs, and a few safety measures similar to circuit breakers if ever there was ever massive withdrawals from Fluid.
When the Resolv minting exploit happened, the Fluid protocol was affected due to USR exposure but team rapidly responded, posting every few hours from the Fluid X handle, Samyak’s account, and their COO DMH. They worked to plug a $20M hole with the help of short-term loans from investors, Fluid treasury funds, and Resolv Labs. It was a very scary moment for all of us, but we were well informed and to their credit, they acted quickly but this $20M hole represented about 2% of TVL, similar to the percentage, if not greater than the bad debt in Aave vs its monster TVL. The decisive strategic actions, coupled with clear communicated information, saved Fluid from further damage. I am forever grateful for how they handled it.
Back to Aave, lending ETH on Aave V3 on Ethereum Mainnet has been a gold standard for earning yield in DeFi. The fact these lenders on Mainnet and L2s have been caught in a situation where they have had to consider the worst possible outcome is terrible. Aave rightfully had to freeze contracts to assess this situation but it doesn’t change the trust and confidence in Aave that’s shaken. Aave will recover from this but the best track record is still a perfect one. Damage is done and Aave will take years to earn back the same level of confidence. The shared pool design always carried this tail risk and now we as users fully undersand it.
So although it’s been dark last week, and DeFi investor confidence is broken, I do still believe that what doesn’t kill us, makes us stronger. DeFi will be better off and stronger in years to come.
And I sincerely hope and wish for the best outcome for Aave and Aave users.
As for L0, they can go fuck themselves. And as for Kelp, they’re going away for good too. Good riddance, this isn’t their first misstep.
I echo a lot of what DeFi Dad said above. Like him, I keep most of my collateral on Fluid, with some on Felix to borrow against my HYPE position. Also, shoutout to the Fluid gigabrains for creating an ecosystem tool to allow locked WETH in Aave to exit if they needed to.
More recently, I’ve also started running my business on EtherFi rails, which I wrote about here:
In that piece, I outlined 11 different risk vectors I’m thinking about with EtherFi, and one of them was “Key Management / OpSec”:
The more concerning detail is that EtherFi was using LayerZero with a 2/2 DVN setup (Kelp was effectively 1/1). Even though I touched on this risk broadly, I wasn’t aware of this exact dependency.
Since the exploit, EtherFi has moved to a 4/4 DVN setup. That’s an improvement, but I’m not sure it fully removes the concern.
How Much Have We Lost To Hacks?
This post from Haseeb caught my attention. It compares losses from hacks between the start of 2025 and 2026:
DefiLlama also shared the 10-year hack total below for crypto (including pre-DeFi) 🤮
$17B in 10 years…
What Needs To Happen Going Forward?
I don’t have all the answers, and I’m not going to pretend I do.
But I’ve been thinking through a few ideas, even if they’re far from exhaustive.
One of the more interesting ones?
Funding an L2Beat for DeFi:
If you know L2Beat, you know how ruthless they were in the early days of the L2 expansion. Many teams didn’t love them at the time, because they were constantly pointing out flaws and shortcuts, and they were beholden to no one. Truly neutral.
But they raised the bar for the entire space. Today, most L2 teams respect them, and so does the broader community. It was some of the most thankless work in crypto, and they came out of it with real credibility.
I think this is a model worth replicating in DeFi.
Sunlight is the best disinfectant. Having a technically strong, neutral team systematically surface risks and shortcuts across DeFi would be a powerful self-correcting force. It would highlight where social pressure is needed and help users make more informed decisions with their capital.
A few other ideas I like:
Timelocks - slow things down a bit, give teams time to act
Rate limits - Ethena has $10M limits and time durations built in
OpSec Audits/Certifications - Treat OpSec like we treat smart contract audits
Insurance - I want risk to be priced so people starting seeing why certain arrangements are cheaper to insure than others. For example: “why is xyz vault insurance so much less than abc vault?” “oh its because they have timelocks, rate limits, OpSec certifications, Hypernative monitoring and L2beat constant monitoring” (this is just an example)
As I was finishing this report I came across this piece by Odysseus that really sums things up incredibly well and I think its worth a read:
There’s a lot more that could be done here. This isn’t meant to be exhaustive, but it does feel like there’s still a lot left on the table.
And despite all this, DeFi will win.
DISCLAIMER: Nothing written in The Edge Newsletter or said on The Edge Podcast is a recommendation to buy or sell tokens or securities. This content is for educational and entertainment purposes only. Nothing shared here is financial advice. Any views expressed in our content are solely the opinion of that writer, host, or guest. Always do your own research. DeFi Dad, Nomatic, and guests may have positions in the assets or other matters discussed in this content.
