CertiK Says Kelp DAO Exploit Shows Cross-Chain Hacks Are Spilling Into Aave Bad Debt

CertiK Says Kelp DAO Exploit Shows Cross-Chain Hacks Are Spilling Into Aave Bad Debt

N
News Editor 01
2026-07-08 15:08:16
CertiK analyst Wenzhao Dong says the Kelp DAO exploit reveals a more dangerous DeFi pattern: bridge failures can now migrate into lending markets as bad debt. While 30,766 ETH was frozen on Arbitrum, roughly $220 million in missing assets remains unresolved.
Kelp DAOAaveArbitrumDeFi SecurityCross-Chain Exploits

The Kelp DAO exploit is being framed as more than another bridge-related incident. According to CertiK analyst Wenzhao Dong, it highlights a more dangerous shift in DeFi cybercrime: vulnerabilities in cross-chain systems can now cascade into lending markets, leaving protocols such as Aave exposed to defaulted debt rather than just localized token damage.

Dong’s assessment focused on the attacker’s execution. Instead of dumping compromised assets into spot markets and triggering slippage, price collapse, and faster detection, the exploiter allegedly used falsely minted rsETH as collateral on Aave to borrow WETH. In that structure, the attacker effectively transformed a bridge exploit into a liability for a lending protocol, exporting the damage from one layer of DeFi to another.

Arbitrum’s emergency freeze recovered part of the funds

On April 18, the Arbitrum Security Council, working with SEAL 911, froze 30,766 ETH in an effort to contain the fallout from the Kelp DAO exploit. The article states that the frozen amount was worth about $71 million. Kelp DAO later thanked the council for what it described as decisive action, and credited SEAL 911’s coordination and information structuring as critical in enabling stakeholders to move before the attacker could transfer the remaining ETH out of the Arbitrum network.

The intervention, however, has revived one of the oldest fault lines in crypto governance: the balance between security and sovereignty. For some participants, the freeze is a practical and necessary emergency measure, especially when dealing with highly capable and allegedly state-backed actors such as the Lazarus Group. For others, the very fact that a council can freeze assets raises concerns about centralization, censorship risk, and whether such powers could eventually be used beyond clear criminal contexts.

The report notes that Arbitrum’s council acted on information from law enforcement regarding the identity of the exploiter. The council said it weighed its responsibility to protect the security and integrity of the Arbitrum community while aiming to avoid consequences for ordinary users or applications on the network.

A more sophisticated exit strategy than a simple token dump

Dong contrasted the Kelp DAO exploit with a recent Hyperbridge incident, where attackers minted 1 billion Polkadot but reportedly converted only around $240,000 before the token’s price collapsed. In that case, the market itself sharply limited the attacker’s ability to extract value. In Kelp DAO’s case, the strategy was different and, in Dong’s view, more effective.

Rather than selling into spot liquidity and absorbing market impact, the attackers allegedly used Aave as an intermediary. By borrowing WETH against fake rsETH collateral, they avoided the immediate visibility and execution costs that would normally accompany a large-scale liquidation on the open market. That choice suggests a deeper understanding of DeFi market structure, including where liquidity is resilient and where protocol design can be exploited to shift losses elsewhere.

In Dong’s words, a bridge vulnerability no longer remains isolated; it becomes a lending market problem. That distinction matters because it changes how losses are distributed. Instead of being fully reflected in the price of a compromised asset, part of the damage can sit as defaulted debt inside a money market, potentially affecting lenders, collateral assumptions, and broader protocol solvency expectations.

Why the incident matters for DeFi risk management

The broader implication of the CertiK analysis is that DeFi security is deeply interconnected. A protocol may believe its own contracts are sound, yet still inherit risk through dependencies, collateral listings, or cross-chain integrations. In composable finance, one weak link can create stress across multiple systems even if those downstream systems were not directly hacked.

Dong argued that protocols cannot focus only on their own codebases. They also need to evaluate the risks introduced by every dependency in their stack and implement defensive measures accordingly. For lending markets, that may mean reevaluating collateral assumptions tied to bridged assets or derivative tokens. For bridge-adjacent protocols, it underscores how minting integrity, redemption mechanisms, and emergency governance can all become critical under attack conditions.

The incident therefore feeds into a larger discussion that has been building across DeFi for years: composability increases capital efficiency, but it also creates new channels for contagion. In the Kelp DAO case, the exploit did not stop at the point of unauthorized minting. It appears to have traveled through collateral frameworks, borrowing markets, and eventually into cross-network fund routing.

Community debate: emergency powers versus decentralization

The freeze of 30,766 ETH may have been operationally effective, but it also sharpened the governance debate around intervention powers. Critics of such actions argue that if a security council can freeze a hacker’s assets today, it could one day face pressure to freeze a dissident, a controversial business, or another lawful user. From that perspective, “human-in-the-loop” governance introduces a structural weakness into systems that were designed to be trust-minimized.

Supporters counter that absolute decentralization is a long-term aspiration rather than a requirement that every protocol must fully satisfy from day one. They view emergency controls as circuit breakers that help the ecosystem survive catastrophic events and protect users from actors with significant technical and operational sophistication. In this framing, bodies like the Arbitrum Security Council function as a kind of digital fire brigade for DeFi, stepping in only under exceptional conditions.

The Kelp DAO exploit sits directly at the center of that debate because both arguments are strengthened by the same facts: the intervention appears to have helped preserve funds, but it also demonstrates that administrative power exists and can materially alter outcomes onchain.

Roughly $220 million is still missing

Despite the partial recovery, the situation remains unresolved. Kelp DAO said that approximately $220 million in digital assets is still missing. The organization stated that its immediate focus is working with Aave and other partners to address the bad debt created by the exploit, support rsETH holders, and restore the asset’s peg.

The report also references separate fund movements by the exploiter, including the transfer of 75,701 ETH to Ethereum mainnet, valued at roughly $175 million, with stolen funds then being routed toward bitcoin through various mixers. That detail reinforces the scale and complexity of the post-exploit laundering phase, and suggests that the event is not just a protocol-specific incident but part of a broader cross-chain criminal workflow.

For the DeFi industry, the lesson is clear: the next generation of attacks may be less about draining one protocol in isolation and more about using composability to move losses through the system. Kelp DAO, as interpreted by CertiK, is a case study in how bridge exploits can become balance-sheet problems for money markets, governance problems for layer-2 ecosystems, and credibility problems for the wider DeFi stack at the same time.

If that pattern continues, risk management in crypto will need to evolve from contract-level auditing to ecosystem-level defense. The question is no longer only whether one protocol is secure, but whether its neighbors, collateral sources, and governance backstops can withstand coordinated failures across an interconnected financial network.

This article was originally published by Bit.Fan. For more cryptocurrency news and market insights, visit www.bit.fan.
400

Disclaimer:

The market information, project data, and third-party content displayed on this platform are for industry information sharing only and do not constitute any form of investment advice or return commitment.

Cryptocurrency trading carries high risks. Users should fully assess their risk tolerance and make independent decisions. All profits, losses, and legal responsibilities are borne by the users themselves.