Two bad debt scenarios emerge for Aave following Kelp DAO security breach
A less expensive first option carries the potential for rsETH to lose 15% of its peg, whereas a more expensive alternative offers enhanced protection for Ethereum's base layer while pushing losses to layer 2 networks.
The risk management provider for decentralized lending protocol Aave has presented a pair of scenarios detailing how bad debt stemming from the weekend's Kelp DAO security breach might affect the broader ecosystem, with outcomes varying based on loss distribution methods.
The security breach unfolded on Saturday as malicious actors made off with 116,500 Kelp DAO Restaked ETH (rsETH) tokens valued at $293 million from Kelp DAO's bridge powered by LayerZero, subsequently deploying these tokens as collateral within Aave V3 to obtain loans in wrapped Ether (wETH).
LlamaRisk released two potential scenarios on Monday describing how this "bad debt" situation might manifest within Aave, emphasizing that Kelp DAO holds ultimate authority over the final resolution approach.
The security breach underscores the systemic contagion risk inherent in decentralized finance networks, demonstrating how a solitary bridge vulnerability can cascade into liquidity shortages and widespread withdrawal activity across interconnected platforms such as Aave, which has experienced outflows approaching $10 billion in total value since the Kelp DAO security incident occurred.
Two scenarios and potential paths forward
Under the first scenario, losses would be distributed among all rsETH token holders across both Ethereum mainnet and Ethereum layer 2 networks, creating approximately $123.7 million in bad debt on Aave while introducing the possibility of a 15% depeg for rsETH in relation to Ether (ETH).
According to LlamaRisk, this initial scenario would distribute losses more evenly across all blockchain networks, with the observation that wrapped Ether (wETH) would be "absorbing the bulk in absolute terms but barely noticing it relative to its reserve depth."
Under this first scenario, Aave would also have the option to deploy its Umbrella security model for covering wETH losses, with LlamaRisk highlighting that 18,922 Aave Wrapped ETH (aWETH) tokens valued at nearly $43.7 million have already entered the unstaking cooldown period.
Under the second scenario, the complete shortfall would be transferred to Ethereum layer 2 networks, including Arbitrum and Mantle. The bad debt figure, however, would rise considerably to $230.1 million.
LlamaRisk additionally pointed out that Aave maintains approximately $181 million in treasury reserves that could be deployed to address any potential bad debt deficit.
In a Monday statement, Kelp DAO indicated that the project continues to evaluate the financial ramifications of the security breach and determine the safest approach for resuming protocol operations, noting ongoing collaboration with Aave, LayerZero and additional stakeholders to chart a resolution strategy.
Kelp DAO sheds more light on the exploit
Kelp DAO provided additional technical details regarding the security incident, revealing that two nodes connected to the LayerZero bridge suffered compromise, while a third node became the target of a distributed denial-of-service attack.
The malicious actor fabricated what appeared to be a legitimate transfer message that received system approval, enabling the minting of 116,500 rsETH on one of LayerZero's bridge implementations.
According to Kelp, the team moved quickly to pause all associated contracts operating on Ethereum and Ethereum layer 2 networks and placed all wallets connected to the attacker on a blacklist immediately following discovery, successfully blocking their attempt to steal an additional 40,000 rsETH worth $95 million.