Bullish XRP Wave Has Ended, Bitcoin's (BTC) Goodbye to $80,000, Shiba Inu (SHIB) Exchange Netflows Cross 10 Billion: Crypto Market Review
XRP's bullish wave has ended, struggling below key resistance levels.
U.Today1 min read
The $292 million Kelp exploit: how it happened, and what it means for DeFi
TL;DR
A $292 million exploit in the crypto industry has exposed vulnerabilities in DeFi infrastructure, particularly involving Kelp's rsETH token. The attacker manipulated the system to create unbacked tokens and drained assets from lending markets.
Key points
- A $292 million exploit rattled the crypto industry
- Vulnerabilities in DeFi infrastructure were exposed
- The exploit involved Kelp's rsETH token
- The attacker drained assets from Aave's lending markets
- Investor trust in DeFi is further dented
rsETH
A roughly $292 million exploit over the weekend has rattled the crypto industry, exposing vulnerabilities in decentralized finance (DeFi) infrastructure and raising concerns about knock-on effects across lending protocols.
While investigations are still ongoing, early analysis suggests the attack centered on Kelp’s rsETH token — a yield-bearing version of ether (ETH) — and the mechanism used to move assets between blockchains.
The attacker appears to have manipulated that system to create large amounts of tokens without proper backing, then quickly used them as collateral to borrow and drain real assets from lending markets, mostly from Aave AAVE$89.32, the largest decentralized crypto lender.
The incident is the latest blow to DeFi, happening only a couple weeks after the $285 million exploit of Solana-based protocol Drift, further denting investor trust in the nearly $90 billion crypto sector.
How the attack worked
At a high level, the exploit targeted a LayerZero bridge component — a piece of infrastructure that enables assets to move across different blockchains, Charles Guillemet, CTO of hardware wallet maker Ledger, told CoinDesk in a note.
Bridges typically work by locking assets on one chain and minting equivalent tokens on another. That process depends on a trusted entity — often called an oracle or validator — to confirm deposits.
In this case, Kelp effectively acted as that verifier. According to Guillemet, the system relied on a single-signer setup, meaning just one entity could approve any transactions.
"It seems the attacker was able to sign a message … allowing him to mint large amount of rsETH," he said. He added that it remains unclear how that access was obtained.
Michael Egorov, founder of Curve Finance, pointed to the same weakness in the system's configuration.
"Things can happen when you trust one single party — whoever that would be."
That setup allowed the attacker to effectively create unbacked tokens, even though no corresponding assets were locked on the source chain.
Once minted, the tokens were quickly deployed. The attacker "immediately deposited them in lending protocols mostly Aave to borrow real ETH against," Guillemet explained.
That maneuver shifted the problem from a single exploit into a broader market issue. DeFi lending platforms are now left holding collateral that may be difficult to unwind, while valuable and liquid assets are already drained.
Q&A
What happened during the $292 million Kelp exploit?
The Kelp exploit involved an attacker manipulating the rsETH token system to create unbacked tokens, which were then used to drain real assets from lending markets.
How did the Kelp exploit affect decentralized finance (DeFi)?
The exploit raised concerns about vulnerabilities in DeFi infrastructure and dented investor trust, following a similar exploit just weeks earlier.
What is the rsETH token and its role in the Kelp exploit?
The rsETH token is a yield-bearing version of ether (ETH) that was exploited by the attacker to create large amounts of tokens without proper backing.
Which lending market was primarily affected by the Kelp exploit?
The largest decentralized crypto lender, Aave, was primarily affected as the attacker drained real assets from its lending markets.
