The Kelp DAO and LayerZero bridge exploit that occurred over the weekend has left lending protocol Aave facing potential losses of up to $230 million, depending on how the situation is resolved.

The incident, according to a report from Aave Labs and service provider LlamaRisk published on the Aave governance forum, centers on rsETH, a liquid restaking token issued by KelpDAO. To move rsETH between blockchains, the protocol relies on a bridge mechanism that locks tokens on one chain while issuing corresponding copies on another.

An attacker exploited that setup by forging a transfer message that appeared valid. The system approved the transfer even though the tokens were never taken out of the sending chain, meaning new tokens were effectively created without backing, releasing 116,500 rsETH from the Ethereum-side bridge.

Rather than selling the assets on the open market, the attacker deposited 89,567 rsETH into Aave as collateral and borrowed roughly $190 million in ETH and related assets across Ethereum and Arbitrum, according to the report. This left Aave exposed to collateral whose backing may be significantly impaired.

Aave Labs said it moved quickly to contain the risk. Within hours, the protocol froze rsETH markets across its deployments, set loan-to-value ratios to zero, and halted new borrowing against the asset.

The outcome now depends largely on how Kelp handles the shortfall. If losses are spread across all rsETH holders, the token would face an estimated 15% depegging (meaning the value of the staked tokens would not match the value of actual ETH), resulting in about $124 million in bad debt for Aave. If losses are instead isolated to Layer 2 networks, the impact would be far more severe, with bad debt rising to roughly $230 million and concentrated on networks such as Arbitrum and Mantle.

The exploit stemmed from weaknesses in how Kelp verified cross-chain messages using LayerZero. By manipulating this process, the attacker was able to make certain assets appear fully backed when they were not, allowing them to extract value from the system. LayerZero itself was not directly hacked, but its messaging layer exposed flawed assumptions in how Kelp validated cross-chain data.

The incident raised concerns that some positions on Aave were backed by collateral that was mispriced or no longer fully backed, increasing the risk of undercollateralized loans.

In response, users moved to reduce exposure. Around $6 billion in total value locked was withdrawn from Aave following the incident, reflecting a broad pullback as participants reacted to the uncertainty.

The episode highlighted its indirect exposure to external systems. The impact was felt through increased collateral risk, pressure on lending positions, and a sharp decline in deposits as users reassessed the safety of interconnected DeFi infrastructure.

The report said its DAO treasury holds approximately $181 million in assets and that discussions are underway with ecosystem participants to address potential losses. Kelp has not yet outlined how it plans to allocate losses, leaving Aave’s ultimate exposure uncertain as the situation continues to evolve.

Read more: Kelp DAO claims LayerZero’s ‘default’ settings are what actually caused the massive $290 million disaster

Less than three weeks after North Korea-linked hackers used social engineering to hit crypto trading firm Drift, hackers tied to the nation appear to have pulled off another major exploit with Kelp.

The attack on Kelp, a restaking protocol tied into LayerZero’s cross-chain infrastructure, suggests an evolution in how North Korea-linked hackers operate, not just looking for bugs or stolen credentials, but exploiting the basic assumptions built into decentralized systems.

Taken together, the two incidents point to something more organized than a string of one-off hacks, as North Korea continues to escalate its efforts to hijack funds from the crypto sector.

“This is not a series of incidents; it is a cadence,” said Alexander Urbelis, chief information security officer and general counsel at ENS Labs. “You cannot patch your way out of a procurement schedule.”

More than $500 million was siphoned across the Drift and Kelp exploits in just over two weeks.

How Kelp was breached

At its core, the Kelp exploit did not involve breaking encryption or cracking keys. The system actually worked the way it was designed to. Rather, attackers manipulated the data feeding into the system and forced it to rely on those compromised inputs, causing it to approve transactions that never actually occurred.

“The security failure is simple: a signed lie is still a lie,” Urbelis said. “Signatures guarantee authorship; they do not guarantee truth.”

In simpler terms, the system checked who sent the message, not whether the message itself was correct. For security experts, that makes this less about a clever new hack and more about exploiting how the system was set up.

“This attack wasn’t about breaking cryptography,” said David Schwed, COO of blockchain security firm SVRN. “It was about exploiting how the system was set up.”

One key issue was a configuration choice. Kelp relied on a single verifier, essentially one checker, to approve cross-chain messages. That is because it’s faster and simpler to set up, but it removes a critical safety layer.

LayerZero has since recommended using multiple independent verifiers to approve transactions in the fallout, similar to requiring multiple signatures on a bank transfer. Some in the ecosystem have pushed back on that framing, saying that LayerZero’s default setup was to have a single verifier.

“If you’ve identified a configuration as unsafe, don’t ship it as an option,” Schwed said. “Security that depends on everyone reading the docs and getting it right is not realistic.”

The fallout has not stayed limited to Kelp. Like many DeFi systems, its assets are used across multiple platforms, meaning problems can spread.

“These assets are a chain of IOUs,” Schwed said. “And the chain is only as strong as the controls on each link.”

When one link breaks, others are affected. In this case, lending platforms like Aave that accepted the impacted assets as collateral are now dealing with losses, turning a single exploit into a wider stress event.

Decentralization marketing

The attack also exposes a gap between how decentralization is marketed and how it actually works.

“A single verifier is not decentralized,” Schwed said. “It’s a centralized decentralized verifier.”

Urbelis puts it more broadly.

“Decentralization is not a property a system has. It is a series of choices,” he said. “And the stack is only as strong as its most centralized layer.”

In practice, that means even systems that appear decentralized can have weak points, especially in the less visible layers like data providers or infrastructure. Those are increasingly where attackers are focusing.

That shift may explain Lazarus’ recent targeting.

The group has begun zeroing in on cross-chain and restaking infrastructure, Urbelis said, the parts of crypto that move assets between systems or allow them to be reused.

These layers are critical but complex, often sitting underneath more visible applications. They also tend to hold large amounts of value, making them attractive targets.

If earlier waves of crypto hacks focused on exchanges or obvious code flaws, recent activity suggests a move toward what could be called the industry’s plumbing, the systems that connect everything together, but are harder to monitor and easier to misconfigure.

As Lazarus continues to adapt, the biggest risk may not be unknown vulnerabilities, but known ones that are not fully addressed.

The Kelp exploit did not introduce a new kind of weakness. It showed how exposed the ecosystem remains to familiar ones, especially when security is treated as a recommendation rather than a requirement.

And as attackers move faster, that gap is becoming both easier to exploit and far more expensive to ignore.

Read more: North Korean hackers are running massive state-sponsored heists to run its economy and nuclear program

Aave service providers on Monday published an incident report quantifying the protocol’s exposure to the April 18 Kelp DAO rsETH bridge exploit, outlining two bad-debt scenarios ranging from $123.7 million to $230.1 million, and recommending an immediate pause of the protocol’s Umbrella safety module.

According to the report, posted to the Aave governance forum, 89,567 of the 116,500 rsETH stolen from Kelp’s LayerZero bridge were deposited across seven attacker-controlled wallets on Aave. Those positions borrowed 82,650 WETH ($190.86 million) and 821 wstETH ($2.33 million).

The single largest position, on Aave’s Ethereum Core market, supplied 53,000 rsETH and borrowed 52,460 WETH, or $121 million, from one wallet. The remaining positions were distributed across Aave’s Arbitrum deployment. All attacker positions currently sit at health factors between 1.01 and 1.03.

Kelp subsequently recovered 40,373 rsETH by freezing a second attempted drain. That balance is the only confirmed backing for 152,577 rsETH of claims across every L2, a pro-rata backing ratio of 26.46%. Ethereum mainnet rsETH is backed separately by Kelp’s underlying ETH staking deposits.

Two bad debt scenarios

The report declined to commit to a single bad-debt figure, stating that the outcome depends on decisions outside Aave’s control — primarily how Kelp accounts for the loss and whether it updates its LRTOracle exchange rate.

Under Scenario 1, a uniform socialization across all rsETH holders on all chains, each token takes a 15.12% haircut. Total bad debt reaches $123.7 million, with the Ethereum Core WETH reserve absorbing $91.8 million, or a 1.54% shortfall. Mantle absorbs $10.4 million, or 9.54% of its WETH reserve, the most proportionally acute.

Under Scenario 2, losses are isolated to rsETH on L2s. Remote-chain rsETH is repriced to its 26.46% backing ratio, or a 73.54% haircut, while Ethereum mainnet rsETH is unaffected. Total bad debt rises to $230.1 million, all concentrated on L2s.

In this scenario, Mantle faces a 71.45% shortfall ($77.7 million), Arbitrum 26.67% ($88.4 million), Base 23.28% ($47.5 million), and Ink 18% ($13.9 million). Ethereum Core is untouched.

Umbrella covers only Ethereum Core reserves. Under Scenario 2, it would not activate.

Balance sheet disclosure

The report disclosed the Aave DAO’s financial position. As of April 20, the treasury holds $181 million — $62 million in Ethereum-correlated holdings, $54 million in AAVE tokens, and $52 million in stablecoins. The DAO generated $145 million in revenue in 2025 and $38 million year-to-date in 2026, with operating cash flow of $149 million in 2025 and $40 million year-to-date.

Aave DAO service providers are “leading an effort with ecosystem participants to address a potential bad-debt scenario,” the report said, and the effort has received “indicative commitments from various parties.” It did not identify the parties or quantify the commitments.

The report also recommended the DAO immediately pause the WETH Umbrella module. As of writing, 18,922 of the 23,507 aWETH staked in Umbrella — approximately 80% — have already entered the 20-day unstaking cooldown. A pause would block further deposits, withdrawals, transfers, and slashing. Coverage under a paused module would need to be handled manually through governance rather than automatically.

A second-order liquidation risk

The report also quantified the risk of further bad debt if ETH falls in price while Aave’s WETH reserves remain at 100% utilization. Because idle WETH balances are below $20 on every affected chain, liquidators cannot receive WETH as underlying and instead receive aWETH receipts, which keeps their capital inside the reserve and slows liquidation throughput.

At a 50% ETH price drop, Aave modeled $100.8 million of residual bad debt on Ethereum alone, with smaller amounts on Arbitrum, Base, Linea, and Mantle. Arbitrum and Base were flagged as particularly vulnerable because wstETH looping positions on those chains run at health factors around 1.03 — meaning first liquidations would trigger at ETH price drops of just 0.77% and 1.77%, respectively.

LayerZero and Kelp continue to trade blame

The Aave report did not assign blame for the underlying bridge exploit. LayerZero and Kelp DAO have continued to publicly attribute the incident to each other.

In a Sunday post-mortem, LayerZero Labs attributed the attack to the DPRK-linked Lazarus Group. The company said attackers compromised two downstream Remote Procedure Call (RPC) nodes used by its LayerZero-operated Decentralized Verifier Network (DVN), and introduced malicious software that returned forged data only to the DVN, then launched a DDoS attack to force failover to the poisoned RPC nodes.

LayerZero said the protocol itself was not exploited and attributed the attack’s success to Kelp’s use of a 1-of-1 DVN configuration.

In a rebuttal reported by CoinDesk on Monday, a source familiar with Kelp’s position said a communications channel between the two teams had been open since July 2024 and that LayerZero had not issued a specific recommendation to change the rsETH DVN configuration. The source said the compromised DVN was LayerZero’s own infrastructure and that Kelp’s core restaking contracts were not affected.

Yearn Finance core developer known on X as @banteg, published a technical review showing LayerZero’s public V2 OApp Quickstart uses a 1-of-1 DVN setup in its reference configuration across Ethereum, BSC, Polygon, Arbitrum, and Optimism. CoinDesk reported approximately 40% of applications on LayerZero currently run 1-of-1 configurations.

LayerZero has said it will no longer sign messages for any application using a 1-of-1 DVN configuration.

“DeFi has spent years auditing smart contracts. Kelp is the moment the industry realises the threat doesn’t end at the code. Most protocols are completely exposed at the infrastructure layer,” said Yair Cleper, Co-Founder and CEO of MagmaDevs and contributor to Lava Network, a decentralized marketplace for blockchain data providers.

Bitcoin (BTC) begins the last full week of April juggling fresh US-Iran war fears as resistance hurdles line up.

Key points:

• Bitcoin stays green on weekly time frames with multiple nearby price levels in focus.

• Elliott Wave analysis concludes that $81,000 is Bitcoin bulls’ next “final boss.”

• A resurgent US-Iran war threatens to unravel last week’s crypto and risk-asset gains.

• Bitcoin ETFs see major inflows, but investors’ cost basis is still above $80,000.

• Bitcoin’s true market mean metric reveals that the current bear market remains “mild.”

BTC price can still make “new highs” this week

Bitcoin still managed a “green” weekly candle despite last-minute sellers driving price below $74,000.

Data from TradingView shows a modest recovery ensuing as the new week begins — despite the lingering threat of geopolitical escalation between the US, Israel and Iran.

Price now has multiple resistance levels overhead, with the nearest being its 21-week exponential moving average (EMA) at $78,400.

Over the weekend, trader and analyst Rekt Capital stressed the influence of that trend line.

“Bitcoin is rejecting from the 21-week EMA (green),” he noted in an X post alongside a print of the weekly chart. 

“It is this rejection that could force a post-breakout retest of the top of the Double Bottom (~$73k) next week, provided Bitcoin Weekly Closes just like this.”

In a subsequent post, Rekt Capital said that a successful retest of the $73,000 area would “confirm the breakout” for the bulls.

#BTC

A Weekly Close just like this could confirm the 21-week EMA (green) as resistance to set up for a post-breakout retest of the Double Bottom formation top (blue ~$73k)

A successful retest of the Double Bottom formation would confirm the breakout$BTC #Crypto #Bitcoin https://t.co/7eZiVYZFeQ pic.twitter.com/cWxH3lMNpb

Advertisement

— Rekt Capital (@rektcapital) April 19, 2026

Continuing, trader CrypNuevo forecast that BTC/USD would continue to trade in a range with an $80,000 ceiling “for the next month.” They acknowledged that it was “unknown” how high the pair could go should the US-Iran war definitively end.

Crypto trader Michaël van de Poppe, meanwhile, remained upbeat, seeing a push beyond last week’s local highs next. He noted that there was a new “gap” open above price in CME Group’s Bitcoin futures market.

“Relatively strong bounce upwards on $BTC on Monday, as markets tend to go risk-off prior to the open. Gold has gone down, so no attached risk,” he told X followers on Monday. 

“Bitcoin bouncing upwards, and given that there’s still a gap to $77.3K, I would assume we’re going to see new highs this week.”

$81,000 emerges as Bitcoin’s “final boss”

In its latest BTC price analysis, crypto market intelligence platform Decode placed specific emphasis on $81,000 as the resistance level to beat.

As part of Elliott Wave analysis, Decode showed BTC/USD trading between the 200-week and 21-week EMAs.

“Bitcoin still pinned below the 21 week ema, but looking pretty good overall, and with the final boss at 81k,” it commented.

This “final boss,” Decode explained in subsequent debate on X, “narrows the options from an Elliott Wave perspective, removing short term bearish counts.”

$81,000 also represents the average entry price for institutional buyers of the US spot Bitcoin exchange-traded funds (ETFs). 

Nearby, the cost basis for Bitcoin’s short-term holders (STHs) — entities hodling for up to six months without selling — is now at $83,500, per data from onchain analytics platform CryptoQuant.

CryptoQuant notes that the STH spent output profit ratio (SOPR) metric — the ratio of STH coins moving onchain in profit or loss — is circling breakeven.

“If SOPR manages to sustainably move back above 1, it would indicate that STHs are once again realizing profits, which is generally positive for the market as long as values do not become excessive,” contributor Darkfost wrote in a QuickTake blog post last week.

Iran war comeback risks risk-asset “unwind”

The US will release little by way of macroeconomic data in the coming week, but markets have bigger concerns.

With the sudden comeback of the US-Iran war, traders are suddenly revisiting the prospect of higher oil prices and a longer-term knock-in effect on inflation. 

“The sudden change in events has characterized the Middle East conflict since it started at the end of February,” trading resource Mosaic Asset Company commented in the latest edition of its regular newsletter, The Market Mosaic. 

“And it appears that intensifying hostilities could unwind the bullish action over the past few weeks.”

WTI crude oil fell to its lowest levels since early March last week as markets increasingly bet on the ceasefire and agreements between the US and Iran holding. The fresh breakdown in diplomacy sparked a rebound toward $90 per barrel.

BREAKING: US oil prices surge +7%, rising above $89/barrel, as markets react to Iran closing the Strait of Hormuz and denying reports of a second round of talks with the US. pic.twitter.com/Tmtt8idhsr

— The Kobeissi Letter (@KobeissiLetter) April 19, 2026

S&P 500 futures avoided a major correction at the weekly open, trading down around 0.6% on Monday.

Continuing, however, Mosaic warned that the writing was already on the wall for the equities rally after the S&P hit fresh all-time highs.

“Simply following breadth, sentiment, and positioning by institutional investors helped flag the recent rally. At the same time, warning signs were already emerging as the S&P 500 broke out to record highs,” it wrote. 

“The number of stocks breaking out to new highs is failing [to] confirm the move in the indexes, while buying pressure from a key group of institutional investors has largely run its course.”

As Cointelegraph reported, oil prices in particular are under the microscope as a US inflation catalyst. The next print of the Consumer Price Index (CPI), which will reflect the ongoing impact of the war during April, is due for release on May 12.

Risk-on institutions wake up to Bitcoin

The upshot in risk appetite amid Iran relief had a near-instant impact on Bitcoin institutional investment vehicles.

In particular, the US spot ETFs saw considerable capital inflows through Friday, with more than 25,000 BTC entering over five days.

“The latest accumulations by spot ETF firms are significant, as the last time they posted a figure this close was in April 2025, when they added 23,900 units,” CryptoQuant noted in a QuickTake blog post on the topic.

Data from UK-based investment company Farside Investors confirms that on Friday alone, the net inflows to the ETFs were more than $660 million — the largest single-day total since January.

“Aside from the current milestone, BTC spot ETFs are recovering,” CryptoQuant continued. 

“The balance held by the firm offering them has been declining since October, but has risen since the February dip.”

In BTC terms, the ETFs’ total holdings are now at their highest since November 2025.

GM ☕️

Last week we have seen –

Advertisement

– One of the highest inflows into #bitcoin ETPs.
– Record bitcoin purchases by $MSTR.

Yet, $BTC has failed to reclaim the ETF cost basis (~$81k).

Let’s watch… pic.twitter.com/qVD76JobLY

— André Dragosch, PhD⚡ (@Andre_Dragosch) April 20, 2026

Advertisement

Commenting on X, Andre Dragosch, European head of research at crypto asset manager Bitwise, acknowledged that ETF investors’ cost basis is still above spot price at $81,000, increasing the psychological significance of that level as a resistance hurdle.

Bitcoin price downside still on “milder path”

The average Bitcoin hodler remains underwater despite the recent trip to 10-week highs for BTC/USD.

Related: Bitcoin can grow ‘probably a lot bigger’ than $30T+ gold market — Analysis

New research from onchain analytics platform Glassnode also warns that in terms of history, Bitcoin’s current bear-market drawdown remains “mild.”

In an X article published on Thursday, lead analyst CryptoVizArt used the true market mean (TMM) metric to assess hodler profitability. TMM filters out long-dormant or lost coins to provide a more accurate picture of cost basis for the active BTC supply.

“When BTC trades below TMM, the average active holder is underwater. Since 2016, this has happened ten times with meaningful negative outcomes — episodes lasting from 2 days to over 11 months, with max drawdowns ranging from -0.1%  to -57%,” they summarized.

Bitcoin is now over 75 days into its latest sub-TMM phase, with TMM itself at $78,200.

A chart plotting 2026 against Bitcoin’s historical average dips below TMM shows price forging a “milder path” than before.

“That said, 75 days is still early. The 2018 and 2022 episodes didn’t bottom until months 5-9,” CryptoVizArt warned. 

“The signal isn’t ‘all clear’ — it’s ‘watch closely.’ Reclaiming the TMM and stabilizing there would mark active investors returning to profit, historically a strong reset point for momentum.”