Kelp DAO refutes LayerZero criticism; Aave bad debt reaches up to $230 million

Kelp DAO released a statement on April 21, rebutting LayerZero’s criticism of its 1/1 DVN configuration, and pointing to LayerZero infrastructure as the root cause of the $292 million vulnerability. Aave released an event impact assessment report: under a loss evenly distributed scenario, the loss is about $124 million; under a scenario where losses are concentrated on L2, it is as high as $230 million.

Kelp DAO’s Rebuttal: DVN Default Settings and the Attack Target Are LayerZero Infrastructure

LayerZero previously criticized Kelp DAO for adopting a 1/1 DVN configuration that creates a single point of failure in its event report, and said it had already provided best-practice recommendations to Kelp DAO regarding distributed verification. Kelp DAO responded directly: “The 1/1 DVN configuration is the default configuration recorded in LayerZero documentation and applies to all new OFT deployments. Since January 2024, Kelp has been running on LayerZero infrastructure, and this configuration has been explicitly confirmed as appropriate during the L2 expansion period.”

Kelp DAO also noted that its mitigation measures effectively prevented further losses—pausing all relevant contracts, adding the attacker-associated wallets to a blacklist, and contacting SEAL-911. These measures successfully prevented the attacker from attempting to steal an additional 40,000 rsETH (about $95 million) by forging data packets.

Aave Bad Debt Analysis: Two Scenarios, Up to $230 Million

（Source: Aave）

The attacker provided 89,567 rsETH (about $221 million) as collateral for Aave V3, borrowing 82,650 WETH and 821 wstETH, resulting in extremely low health factors for the related positions. Aave evaluated two hypothetical scenarios:

Scenario One (Even Distribution): About 112,204 rsETH losses are evenly distributed across all chains; rsETH de-pegs by 15.12%; Aave’s total bad debt is about $123.7 million. The Ethereum core market has the largest absolute loss ($91.8 million), but WETH reserves are sufficient, leaving a gap of only 1.54%; the Mantle market has the highest gap ratio, at 9.54%.

Scenario Two (Loss Concentration on L2): Losses are concentrated in L2 rsETH; the L2 collateral is reduced by 73.54%; bad debt in the L2 markets (Mantle, Arbitrum, Base) reaches $230.1 million, while Ethereum mainnet rsETH is fully supported.

Aave stated: “Which case occurs depends on Kelp’s accounting treatment of rsETH and how the LRTOracle exchange rate is updated—these are decisions Aave cannot control.”

Aave’s Capital Buffer and Next Steps

In scenario one, the $54 million WETH Umbrella fund held by Aave can serve as initial collateral; in scenario two, the fund would not be triggered. Aave DAO currently holds $181 million in assets and has already received multiple commitments from ecosystem participants to provide support in the event of bad debt. Kelp DAO said it is working with Aave, LayerZero, and all major stakeholders to jointly assess the next steps for restoring operations of the protocol and potential mitigation solutions.

Frequently Asked Questions

What is at the core of the responsibility dispute between Kelp DAO and LayerZero?

The dispute centers on the 1/1 DVN configuration. LayerZero believes that Kelp DAO’s adoption of a configuration with only one DVN creates a single point of failure, and that security recommendations were provided earlier. Kelp DAO rebuts that 1/1 DVN is the default set by LayerZero for all new deployments and has been confirmed by LayerZero as appropriate during the L2 expansion period; the real security vulnerability lies in LayerZero’s own RPC nodes being compromised.

How are Aave’s two bad debt scenarios calculated?

Scenario one assumes losses of about 112,204 rsETH are evenly allocated to all chains; rsETH de-pegs by 15.12%, corresponding to Aave bad debt of about $123.7 million. Scenario two assumes losses are concentrated on L2; the L2 rsETH collateral is reduced by 73.54%, and bad debt in the L2 markets reaches $230.1 million. The key difference between the two scenarios is how Kelp ultimately allocates responsibility for the losses.

What capital resources does Aave have to address potential bad debt?

Aave has a $54 million WETH Umbrella fund (available in scenario one), $181 million in Aave DAO assets, and multiple support commitments from ecosystem participants. If the bad debt exceeds the above buffer, according to Aave’s security module design, stkAAVE holders’ staked tokens may provide protection for the remaining gap through a Slashing mechanism.