This Hack Just Broke DeFi… And Exposed Everything

TL;DR

A single compromised signing key let an attacker mint $293M in fake RSETh, exposing how DeFi's composability turns one bridge failure into a billion-dollar cascade.

Key Points

• 1.A single DVN signing key was the root vulnerability. Kelp DAO configured its Layer Zero bridge with a one-of-one validator setup — the weakest permitted — despite securing ~$300M in collateral; this risk had been flagged in Aave governance forums since January 2025 and ignored.
• 2.The attacker forged a cross-chain deposit attestation to conjure 116,500 RSETh from thin air. By compromising the single DVN key, they planted a fake attestation claiming a deposit on Uni Chain, triggering Ethereum mainnet to release the full escrowed position at block 24,982,285.
• 3.Rather than dumping tokens, the attacker laundered them through lending protocols. They deposited stolen RSETh as collateral into Aave v3, Aave v4, Compound v3, and Euler simultaneously, borrowing $236M in clean WETH — leaving uncollectible bad debt behind for protocols to absorb.
• 4.Kelp DAO's 46-minute pause blocked an additional ~$200M in follow-up drains. The emergency multisig froze all contracts at 18:21 UTC; two subsequent attacker transactions attempting 40,000 RSETh each reverted against the active pause.
• 5.Aave suffered a $6B bank run, wiping its TVL from $26.4B to ~$20B in hours. Governance voice Mark Zeller publicly urged withdrawals; pool utilization hit 100%, freezing legitimate users, while Aave's token fell over 20% versus ETH's sub-3% drop; total bad debt across protocols exceeded $250M.
• 6.The exploit exposed a structural flaw: DeFi composability converts single-point failures into ecosystem-wide contagion. Every LRT sitting in a lending market inherits its bridge's security; combined with April's earlier $285M Drift Protocol hack by North Korean operators, DeFi losses in under three weeks exceeded $600M.