On April 18, the Kelp DAO protocol was attacked via LayerZero’s OFT contract. The hacker called the lzReceive function on EndpointV2 and withdrew 116,500 rsETH, worth approximately $293 million. The attacker’s wallet had been prepped in advance through Tornado Cash.
For 46 minutes, no action was taken—this was Saturday. During this time, the attacker managed to convert most of the funds into ETH and WETH via Aave V3 and V4, borrowing over $236 million. Only after that did the Kelp DAO team activate a pause on the main contracts—two subsequent exploit attempts were blocked.
Aave froze the rsETH markets on V3 and V4 as a protective measure. The protocol itself was not hacked; however, due to the hopeless debts incurred as a result of the attack, the AAVE token dropped by 18%. The community is calling for WETH to be withdrawn from Aave V3 Core out of concerns about cascading liquidations.