The rsETH attack, which began on Saturday night, April 18th, escalated from a single bridge hack into one of the biggest liquidity crises in DeFi history within a week. 116,500 rsETH, worth approximately $292 million, were minted via a fake message on KelpDAO's LayerZero-based rsETH bridge. The attacker then directly deposited these "unbacked" tokens into Aave, effectively borrowing real assets. Here's a summary of the week's events:

How did the attack work?

Using LayerZero's single validator (1-of-1) configuration, the KelpDAO bridge validated the attacker's fake lzReceive message. This allowed rsETH to be minted without locking any ETH in the wallet.

These rsETH were deposited into Aave V3 as collateral within minutes. The protocol, by its nature, accepted the request, and the attacker withdrew approximately $190 million worth of WETH, wstETH, and stablecoins. Aave later stated that "the system worked according to its design, the problem was that the collateral was fraudulent."

The same tokens were also used in the Aave markets on Arbitrum and Base. The total deficit, according to initial estimates, ranges between $123 million and $230 million.

Bank run on Aave

As soon as the news spread, users panicked. The total supply on Aave, which was $45.8 billion on Saturday evening, dropped to $30.8 billion by Wednesday morning. The outflow of approximately $15 billion was the fastest withdrawal in the protocol's history.

The most critical moment was when the USDT and USDC pools reached 100% usage. Approximately $5 billion worth of stablecoins became unusable because borrowers failed to repay. While users protested with complaints of "my money is locked" on X, the AAVE token lost 17.7% of its value in three days.

Aave management froze the rsETH markets on Ethereum, Arbitrum, and Optimism. New collateral deposits and borrowing were halted.

Freezing and Tracking

On Monday, the Arbitrum Security Council froze 30,766 ETH, approximately $71 million, in the attacker's wallet and moved it to an unattended vault. This sparked a decentralization debate, but at least some of the money was recovered.

The remaining funds are being rapidly laundered. On-chain detectives have determined that the attacker converted 34,500 ETH, approximately $175 million, into Bitcoin via THORChain. Smaller amounts were routed through the Umbra privacy protocol. LayerZero attributed the attack to the "TraderTraitor" cell of the North Korea-linked Lazarus group.

DeFi United: The Sector's Counter-Move

Something unusual happened midweek. Aave, Spark, Morpho, Curve, and Mantle formed a recovery pool called "DeFi United." The goal is to rebuild the collateral for rsETH.

Initially, 43,500 ETH, approximately $101 million, was deposited into the common pool.
Mantle opened a 30,000 ETH credit line to Aave and stated, "we will contribute from the treasury if needed."
To date, over $204 million in assets have been repaid, and liquidity has begun to normalize.

The KelpDAO team has paused all rsETH contracts and is rewriting the bridge with LayerZero. LayerZero announced that it has canceled all single validator configurations and stopped message signing.

So what is the situation with rsETH now?

The token still doesn't back ETH one-to-one. It's trading at a 6-8% discount in the market. Aave hasn't yet decided whether to socialize the loss. Three options are on the table:

Aave treasury coverage
Passing losses on rsETH holders
Gradual buyback with the DeFi United pool

The most pressing issue for users is locked stablecoins. Aave says USDT/USDC withdrawals will be opened as borrowers' repayments accelerate.

What's the lesson?

The $292 million attack showed how a single line of configuration error can wipe out $14 billion of DeFi TVL. "Infrastructure" projects like LayerZero are now responsible not just for code, but also for operational security.

The latest data shared under the #rsETHAttackUpdate hashtag shows that the worst of the crisis is over, but the wound is not healed. Arbitrum's freeze saved $71 million, DeFi United raised $100 million, but there's still a $120 million deficit.

For the sector, this is the biggest "test of trust" since the 2022 Terra crash. If Aave absorbs the damage, DeFi's "code is law" narrative will give way to a "community insurance" narrative. If it doesn't, a lengthy legal process will begin between rsETH holders and Aave depositors.

The attack, which began a week ago, is now a problem not just for KelpDAO, but for the entire restaking ecosystem.