Lido has disclosed that its EarnETH vault has approximately $21.6 million in rsETH exposure roughly 9% of the vault’s total assets through a leveraged rsETH/ETH position on Aave. This stems from the April 18, 2026, exploit on Kelp DAO’s cross-chain bridge, where ~116,500 rsETH valued at around $292 million at the time was stolen.
The rsETH in question became de-pegged and frozen, leaving the leveraged position underwater and creating potential bad debt risk on Aave. Exposure is ~$21.6M via the Aave levered position (9% of EarnETH assets). Elevated borrowing utilization on Aave is also pressuring other levered strategies in the vault.
The EarnETH team is actively deleveraging to reduce risk. Deposits and redemptions (withdrawals) are paused while they assess the situation. Lido has a ~$3 million first-loss protection buffer available from the Lido DAO treasury, which could be deployed if losses materialize. The final impact depends on how Kelp DAO, LayerZero, and Aave handle loss allocation, frozen assets, and bad debt resolution.
No impact on core Lido: stETH, wstETH, and the main Lido staking protocol are completely unaffected. This is isolated to the EarnETH yield product. Lido posted the details directly on X, and the news has been widely reported across crypto media outlets. Protocols like Aave have taken steps such as halting rsETH-related activity, and others are coordinating on the broader incident.
Register for Tekedia Mini-MBA edition 20 (June 8 – Sept 5, 2026).
Register for Tekedia AI in Business Masterclass.
Join Tekedia Capital Syndicate and co-invest in great global startups.
Register for Tekedia AI Lab.
This highlights classic DeFi interconnected risks: leveraged positions + cross-chain bridges + restaking tokens can amplify a single exploit. The $21.6M is material for the EarnETH vault but small relative to Lido’s overall TVL and core ETH staking business. Outcomes remain fluid pending decisions from the involved parties.
Here are the brief implications of Lido’s $21.6M rsETH exposure in the EarnETH vault following the Kelp DAO bridge exploit: Isolated to EarnETH: This affects only Lido’s yield-enhancing EarnETH product; a MetaVault on Mellow with leveraged strategies. Core Lido staking (stETH/wstETH) and the main protocol remain completely unaffected and operational. No impact on the vast majority of Lido’s TVL or ETH staking.
Material but contained risk for the vault: The $21.6M represents ~9% of EarnETH assets. The leveraged rsETH/ETH position on Aave is now underwater due to rsETH de-pegging and freezing. Deposits and redemptions are paused while the team actively deleverages to minimize further risk. Elevated borrowing costs are also pressuring other levered positions in the vault.
Potential losses mitigated by buffer: Lido has a ~$3M first-loss protection from the DAO treasury that can be deployed if needed. The actual loss (if any) depends on how Kelp DAO, LayerZero, and Aave governance resolve bad debt allocation, frozen assets, and shortfall sharing. Outcomes are still fluid.
Highlights risks of complex leverage loops (LST ? LRT ? cross-chain bridges ? lending protocols). Aave and other platforms (SparkLend, Fluid) froze rsETH markets to contain bad debt estimates for Aave range widely, up to $200M+ in some scenarios, but resolution pending. Increased caution around restaking tokens, LayerZero bridges, and high-leverage strategies.
Minor negative sentiment for Lido’s EarnETH product and LDO token in the short term, but limited systemic threat given the small relative size and quick transparency and deleveraging response. It serves as a reminder of interconnected DeFi vulnerabilities without threatening Lido’s dominant ETH liquid staking position.
Low-to-moderate impact overall — painful for affected EarnETH holders; potential partial haircut after buffer, but a manageable, contained event for Lido as a whole. Monitor updates from Lido, Aave governance, and Kelp for final loss allocation.
Dune Releases Report Showing 47% of Layer Zero OApps Run on 1/1 DVNs
A recent Dune Analytics dashboard highlights significant security configuration risks in LayerZero’s Omnichain Applications (OApps), particularly in the wake of the KelpDAO rsETH exploit estimated at ~$290–293M.
Dune analyzed ~2,665 unique/active OApp contracts over the past 90 days and found:47% use a 1-of-1 DVN (Decentralized Verifier Network) configuration — the lowest security level, where a single verifier can unilaterally approve or reject cross-chain messages. This matches the setup KelpDAO’s rsETH bridge used at the time of the attack.
45% use a 2-of-2 configuration requiring agreement from two verifiers. Only ~5% use more robust setups like 3-of-3 or higher requiring multiple independent verifiers for redundancy. This means nearly half of LayerZero OApps operate with a single point of failure for cross-chain message verification — exactly the vulnerability exploited in the Kelp incident via RPC poisoning of the single DVN.
LayerZero OApp DVN Configuration provides a transparent breakdown of how individual OApps configure their security. The attack targeted KelpDAO’s rsETH; a liquid restaking token bridge on LayerZero. Attackers allegedly compromised infrastructure tied to the single DVN pointed to by LayerZero, forging a cross-chain message that allowed draining ~116,500 rsETH.
The stolen funds were then routed through lending protocols like Aave, triggering freezes and market stress. LayerZero’s position blame Kelp’s choice of a 1/1 setup despite prior warnings and state the incident was isolated with zero contagion to multi-DVN apps. They announced they will stop signing messages for any remaining 1/1 configurations, effectively forcing a migration to multi-verifier setups.
They argue LayerZero’s default documentation and GitHub examples promoted 1/1 as the standard, and they weren’t explicitly forced to upgrade earlier. Some reports note ~40%+ of protocols used similar structures. This has sparked a blame game, with broader discussions on whether LayerZero’s OApp model which lets apps choose their own DVN thresholds adequately balances flexibility vs. security defaults.
In LayerZero’s architecture: DVNs are independent entities that verify message integrity across chains. Apps define the security floor (e.g., 1-of-1 vs. 2-of-3) — more verifiers = higher redundancy but potentially higher latency/cost. A 1/1 setup is cheap and simple but vulnerable to compromise of that single verifier via infrastructure attacks, as allegedly happened here.
With 47% of OApps in this bucket, the ecosystem faces systemic upgrade pressure. Protocols with high TVL like certain restaking, synthetic assets, or tokenized RWAs using LayerZero bridges are under scrutiny. Many are already pausing bridges or reviewing configs.If you’re building on, bridging via, or holding assets tied to LayerZero OApps, it’s worth checking the specific DVN setup for your integration.
KelpDAO/rsETH: ~116,500 rsETH stolen (18% of circulating supply). Core contracts paused; mainnet rsETH remains backed, but reserves on 20+ chains strained. Redemption/peg pressure ongoing. Attacker used stolen rsETH as collateral on Aave V3 and others to borrow ~$196–236M WETH, creating bad debt. Follow-up packets blocked by Kelp freeze, preventing another ~$100M loss.
Aave TVL dropped sharply ~$6–8.5B outflows in 48 hours due to rsETH market freezes, emergency mode, and user panic. Borrowing halted on affected assets; potential bad debt coverage via safety module under review. DeFi TVL overall fell ~$13B in two days from ~$99B to ~$86B, driven by liquidity flight and risk-off sentiment. Other lending protocols like SparkLend, Fluid also froze rsETH markets.
Restaking/LRT sector heightened scrutiny on liquid restaking tokens; some protocols paused LayerZero bridges or deposits as precaution. The Dune dashboard is a good starting point, and LayerZero is pushing for broader adoption of multi-DVN security. This incident underscores a classic crypto tension: decentralized protocols still rely heavily on how applications configure them.
Flexibility is powerful, but weak defaults or cost-driven choices can lead to outsized risks. The forced migration LayerZero announced could improve overall security but may cause short-term friction for affected apps.