tl;dr

An exploit of the Kelp DAO threatens the reputation of Aave in particular, and of DeFi in general.

Market Snap

Market Wrap

Whisper it quietly, but on-chain indicators are all turning very positive, leading some to brazenly claim that the bear market is already over and the next explosive bull has already started.

Oh, let us hope they are right. 2026 might get exciting after all.

Curious Cryptos’ Commentary – Another day, another DeFi exploit

I exaggerate, but after the recent exploit of Hyperbridge (https://www.curiouscryptos.com/post/16th-april-2026-is-defi-fundamentally-broken) this new fraud, similar in many respects to that exploit, is most unwelcome.

First, let’s start with a gentle introduction to the world of staking and re-staking.

The PoS (proof-of-stake) consensus mechanism relies on holders staking their coins by committing those coins to one of many validators. For each block, a validator is chosen at random, in proportion to the number of coins staked with that validator, to create that block in exchange for which it receives rewards which are then shared with the stakers. Those rewards come from both the minting of new coins and the fees paid by those whose transactions were included in the block. As a guide, unless the network is very congested, roughly three-quarters of staking rewards currently comes from new issuance of ETH, which is simply inflationary, and does not actually represent any real gain for those who stake. HMRC, however, will still tax you on the theoretical gain, as the taxman doesn’t understand the process, perhaps wilfully so.

There are two main methods of staking ETH. The first and traditional means is by pledging 32 ETH to a validator. This is simple but has the drawback that, if you wish to unstake, you will have to wait some time for your unstaking request to be processed. The minimum wait is around five days for ETH but was as long as forty-five days at one point in 2025.

The second method is to swap ETH for an LST (liquid staking token) created by a smart contract that represents ETH that has been staked. LSTs have the advantage that they can often be instantly converted back to ETH (at a discount) and can be used in DeFi, increasing the potential rewards compared to simple staking. The main drawback is that despite the name, some LSTs are distinctly not liquid, especially those issued in exchange for PoS coins with a market cap significantly lower than ETH.

It is from this concept – that LSTs can be used in DeFi – that re-staking arose. In effect, you take your stETH (staked ETH) and exchange it for re-stETH (re-staked ETH) for increased rewards. Note that your re-stETH can itself be used in DeFi, further increasing potential rewards, but you must be aware that each iteration of staking and re-staking increases risk. This is not a free lunch.

…

Kelp DAO (https://kerneldao.com/kelp/restake/) is a re-staking platform – you can deposit ETH, stETH, or ETHx to receive Kelp’s rsETH, a coin that represents staked ETH that has been re-staked. All issued rsETH is backed 100% by the deposited collateral.

Until now.

An attacker exploited Kelp DAO’s LayerZero bridge configuration and caused a forged message to be treated as valid, in exchange for which the DAO issued 116,500 rsETH to the feral scumbag scammers, worth nearly $300mm. Blockchain sleuths have suggested a possible link to North Korea–aligned hacking groups, though attribution is not yet conclusive.

You can see the similarity with the Hyperbridge exploit, for once again a coin has been minted which has been designed to be backed one-to-one with collateral (thus giving it an assured and visible market-price), but the collateral does not exist.

The hackers then deposited these coins into an Aave pool and borrowed WETH (wrapped ETH) against them. They have since been furiously laundering WETH through some mixers.

The net impact of this exploit is that the circulating supply of rsETH has been increased by 18% without a corresponding increase in the collateral, causing losses throughout the entire ecosystem for borrowers, stakers, and re-stakers of ETH.

It also caused an immediate 10% or more fall in the price of AAVE, a coin that has long been a core part of the CC Treasury portfolio, for though Aave (https://aave.com/) has not been hacked, some of its lending practices have been called into question.

A sad situation all round.

…

Perhaps we should ask the question again: is DeFi fundamentally broken?

Putting aside the issue of potential code problems (and with Mythos just around the corner, those problems should not be underestimated), there is no doubt that DeFi is becoming ever more complicated, layering additional risks on top of other risks that many participants fail to fully appreciate, if at all. DeFi has huge potential in helping to democratise access to financial products, one of the big benefits that blockchain technology is bringing to humanity. But, configured as it is today, DeFi is destined to remain a niche product, no more than that.

0xResearch called it right with this comment yesterday:

“The broader point is that the industry is scaling faster than its risk frameworks, and unless there is a clear separation between risk underwriters and those optimizing for revenue, the same failures will keep repeating at a larger scale.”