On Tuesday morning, the entity responsible for the Kelp DAO exploit initiated the movement of 75,700 Ether, valued at 175 million dollars, toward newly created wallet addresses. According to on-chain data from the analytics platform Arkham Intelligence, the funds stolen during the 290 million dollar exploitation last Saturday began to be fragmented for potential laundering.
Transactions recorded on April 21 included a massive transfer of 25,000 ETH to an unknown address, followed by two other operations of 50,700 ETH and 0.7 ETH. Security researcher ZachXBT confirmed that the attacker is already utilizing non-custodial protocols such as THORChain and Umbra to obfuscate the capital trail. These tools, which do not require identity verification processes, hinder the tracking capabilities of authorities and cybersecurity firms.
Technical vulnerability and the critical failure in rsETH
The root of this incident lies in a security configuration that LayerZero had previously advised against. The Kelp DAO rsETH bridge operated under a decentralized verifier network (DVN) set as 1/1, which created a critical single point of failure within the protocol. This architecture allowed the attacker to drain approximately 116,500 rsETH by manipulating cross-chain messages, exposing the fragility of relying on a single verifier in complex infrastructures.
The impact has quickly spread to other sector giants. Within the Aave lending protocol, the perpetrator used part of the stolen assets as collateral to request loans, injecting considerable systemic pressure. Aave management presented an incident report detailing two potential bad debt scenarios ranging between 123.7 and 230.1 million dollars. As a mitigation measure, the Arbitrum Security Council executed an emergency action to freeze 30,766 ETH linked to the exploit, moving them to a wallet under governance control.
This event has triggered a massive capital outflow due to contagion fears. DefiLlama data shows that the total value locked (TVL) in Aave plummeted from 26.4 billion dollars to just 16.4 billion in less than 72 hours. This 10 billion dollar liquidity loss has spiked interest rates for USDT lending from 3% to 14%, reaching volatility levels not seen since late 2024.
The current situation bears similarities to the 1.4 billion dollar hack suffered by Bybit in 2025, where 72% of the funds also flowed through THORChain. Although Bybit CEO Ben Zhou stated at the time that most assets were traceable, the speed of dispersion in the current case suggests a more aggressive laundering strategy. Unlike other minor attacks, the magnitude of the Kelp DAO exploit has forced developers to reconsider asset self-custody and bridge governance.
Recovery prospects and debt markets
Despite the chaos, Aave has managed to unfreeze Wrapped Ether (WETH) reserves in its Ethereum Core V3 market. Nonetheless, markets on Arbitrum, Base, Mantle, and Linea remain locked while the full extent of the damage is audited. Users affected by the lack of liquidity in stablecoins now face significantly higher borrowing costs due to the imbalance between supply and demand in the main pools.
The market is closely watching the movements of the remaining 40,000 ETH that have not yet been moved from the attacker’s original wallets. The next milestone will be the resolution of the Arbitrum governance proposal to decide the fate of the frozen funds. The crypto community expects new standards to be established for LayerZero DVNs, preventing technical simplicity from again compromising hundreds of millions in user assets within the DeFi ecosystem.
This article is for informational purposes and does not constitute financial advice.
