1. Executive Summary
On April 18, 2026, Kelp’s LayerZero bridge was exploited, leading to a deterioration of rsETH liquidity, and a market price significantly below its expected value across affected DeFi venues. Lido Protocol, stETH, and wstETH were not compromised. The impact on Lido Earn came through EarnETH strategy exposure to rsETH-linked positions, and broader market stress around Aave liquidity, borrow rates, haircut risks, and unwinding conditions.
In a severe downside scenario, EarnETH faced exposure of up to ~9,000 ETH (~$21M at the time), driven by a combination of direct rsETH risk, and contagion through elevated borrow rates on adjacent leveraged positions.
The Lido Earn and Mellow teams paused vault flows, adjusted the UI, communicated publicly, coordinated on unwinding levered positions, and worked with Aave, Kelp and other stakeholders to reduce the risk of bad debt and forced liquidations. The team paused deposits and withdrawals to prevent new exposure and avoid unfair exits.
DeFi United, the coordinated ecosystem relief effort, eliminated the rsETH backing deficit and reduced the risk of further losses spreading through lending markets, vaults, and looping strategies. This reduced EarnETH’s residual loss to operational costs from elevated borrow rates during the unwind period.
The EarnETH vault resumed full deposit and withdrawal operations on May 15, 2026 at 17:15 UTC, approximately four weeks after the incident. 143.98 ETH of first-loss coverage was deployed as a one-off Kelp-specific authorization, and users were made whole for residual losses tied to the incident.
The incident also exposed gaps the Lido Earn risk framework needs to close: blind spot around secondary effects, sizing and exit planning for larger allocations, and activation logic for layered protection where the loss profile sits between standard categories.
2. What Happened
2.1 Incident Overview
On April 18, 2026, Kelp’s LayerZero-based bridge was exploited. A forged cross-chain message caused the Ethereum bridge contract to release roughly 116,500 rsETH, or around $292m at the time, leaving a large gap between rsETH in circulation, and the assets backing it. The Lido protocol, stETH or wstETH were not exploited.
The impact did not stay inside the Kelp protocol, because rsETH is widely used as collateral in lending markets and looping strategies. Once the backing shortfall became clear, rsETH became impaired collateral: its price, haircut and recoverability were uncertain. Lending markets had to react quickly to avoid bad debt, so rsETH markets were frozen, liquidity became harder to access, borrow rates moved sharply, and many leveraged positions could no longer be unwound cleanly.
The immediate risks were an rsETH haircut, elevated borrow costs, frozen exit routes and potential liquidation risk. Right after the hack there was effectively no reliable liquidity to swap rsETH into WETH / ETH / aEthWETH at a reasonable price, so the position could not be unwound instantly without creating additional loss.
2.2 EarnETH Exposure & Impact
Lido Earn vault infrastructure and curator controls were not compromised in the Kelp incident. However, EarnETH had material exposure to the market effects of the incident through its leveraged rsETH/ETH Aave Core strategy, and broader market stress across other levered positions.
The affected position supplied ~113.2k rsETH and borrowed ~111.1k WETH, representing roughly 121k ETH of gross collateral exposure — around 9k ETH of net exposure in strETH. During the Aave Core ETH market freeze, elevated borrowing costs on other leveraged positions exceeded the yield earned on their collateral legs, producing a 143.98 ETH realized loss.
| Market | Relevance |
|---|---|
| Aave V3 Ethereum Core rsETH / WETH | Main affected market. EarnETH supplied rsETH and borrowed WETH here through strETH. |
| Aave V3 Ethereum Core weETH / WETH | Used in weETH leverage and later WETH debt repayment / deleveraging flows in GGV. Affected through inability to unwind quickly, higher borrow rates, and extended weETH withdrawal queue. |
| Aave V3 Ethereum Core wstETH / WETH | Used in stETH leverage and later WETH debt repayment / deleveraging flows in strETH. Affected through higher borrow rates and stETH discount. Loss was offset by acquiring 57k aEthWETH at 0.5% discount. |
| Spark wstETH / WETH | Destination for some migrated wstETH collateral after Aave deleveraging through strETH. |
| Aave USDC / USDT stable borrow markets | Relevant to broader portfolio debt cleanup after the incident. strETH affected through higher borrow rates |
| Aave USDe / sUSDe markets | Relevant to Ethena LL deleverage position in strETH. |
| Plasma Aave syrupUSDT / USDT0 | Relevant syrupUSDT withdrawal-queue liquidity management and deleverage. strETH affected through higher borrow rates. |
The bottom line for EarnETH users was that no user funds were ultimately lost, but that outcome required both a prolonged operational pause and DAO-funded support. Deposits and withdrawals in EarnETH were paused for 27 days while the rsETH recovery path and unwind conditions were resolved.
In total, the DAO deployed approximately 2,644 ETH: 2,500 ETH supported the rsETH-level relief effort to close the underlying backing shortfall, while 143.98 ETH was used as direct EarnETH first-loss coverage for operational losses from elevated borrow rates and delayed unwinds.
3. Response Timeline
The timeline below shows the first 48 hours of the response and the recovery path through to full resumption: how the incident was detected, how the vault was protected, how market risk was contained, and how the team moved from emergency controls to recovery coordination and back to normal operations.
| Time/Date | Action/Event | Why it mattered |
|---|---|---|
| Apr 18, 17:35 UTC | LayerZero-related infrastructure was compromised | Created the conditions for the forged cross-chain message and rsETH shortfall |
| Apr 18, 18:52 UTC | The Aave Guardian initiated immediate freezes on rsETH and wrsETH markets across all deployments where the asset is listed (multiple batches, first landed on-chain at 19:03 on Core Mainnet, last at 19:48 on Ink). | Locked existing positions including EarnETH’s leveraged leg; closed off new contagion routes through Aave |
| Apr 18, 18:53 UTC | Lido Earn team alerted to the exploit via external community signal | Initial alert source |
| Apr 18, 19:01 UTC | Lido Earn team contacted Aave regarding rsETH market | Immediate coordination with critical lending venue |
| Apr 18, 19:32–19:45 UTC | Main risks identified; SyncDepositQueue pause agreed | Team recognized borrow-rate and deposit-flow risk |
| Apr 18, 20:29 UTC | Deposits disabled on UI | Prevented new users from entering during uncertain conditions |
| Apr 18, 20:33 UTC | SyncDepositQueues paused | Preventing contagion for new deposits on the smart contract level |
| Apr 18, 20:42 UTC | Public communications posted | Signaled awareness and reduced uncertainty |
| Apr 19 onward | Kelp, Aave, and ecosystem recovery coordination | Focus shifted to reducing root-cause shortfall and downstream losses |
| Apr 19–20 | Aave adjusted WETH interest rate models and froze WETH borrows on Core, Prime, Arbitrum, Base, Mantle and Linea | Sharply elevated funding costs for the unwind. |
| Apr 19 – early May | Coordinated relief effort at the rsETH level executed; leveraged rsETH/WETH position deleveraged as Aave market conditions allowed | Reduced the root-cause shortfall and shrank EarnETH’s residual loss to operational costs (elevated borrow rates, delayed unwinds) |
| Early May | DAO authorized one-off Kelp-specific use of the first-loss fund below the standard threshold | Confirmed protection path for residual user losses tied directly to the incident |
| May 15, 2026, 17:15 UTC | EarnETH resumed full deposit and withdrawal operations; 143.98 ETH of first-loss coverage deployed; users made whole for Kelp-related residual losses | Vault operations resumed, approximately 27 days from incident to resumption |
4. Response Actions
4.1 Stopped new risk from entering the system
Deposits were disabled on the UI and then paused at the smart-contract level through SyncDepositQueue controls. This prevented new ETH, wstETH, GGV, DVV, and strETH deposits from being routed into EarnETH while the size of the rsETH shortfall and the correct pricing of the underlying position were still unknown.
Withdrawals were also paused once it became clear that processing exits would require assumptions about the rsETH haircut. Allowing some users to exit before the position could be priced would have shifted risk to the remaining users.
This action stopped new exposure, avoided cross-contamination between incoming and existing users, and bought time to understand the recovery path without crystallizing losses under bad pricing assumptions.
4.2 Avoided disorderly unwinds
Immediate exit was not possible without creating additional losses. Aave markets were frozen, rsETH liquidity was impaired, and there was no reliable route to swap the full position into WETH / ETH / aEthWETH at a reasonable price. A forced unwind would likely have made the outcome worse.
The team therefore built multiple scenarios for the impact of the rsETH incident across EarnETH strategies. The pessimistic scenario assumed that losses would be socialized across rsETH holders and that the rsETH/ETH position could face liquidation. The optimistic scenario assumed that pricing would be restored close to pre-incident levels.
The team calculated the haircut levels at which it would make sense to defend the position with additional collateral versus allowing the position to unwind. Other levered positions were also monitored for liquidation risk, collateral needs, and negative carry from elevated borrow rates.
4.3 Supported recovery at the root cause
The team prioritized rsETH-level recovery because EarnETH’s largest downside scenarios depended on the size and treatment of the rsETH backing deficit. The response assumed that reducing the deficit would reduce liquidation pressure and lower the eventual EarnETH residual loss. This created a dependency on external recovery execution and delayed final loss determination until the recovery path was clearer.
Once the rsETH deficit was addressed at the source, EarnETH’s remaining loss was reduced mostly to elevated borrow rates while positions were being exited.
4.4 Used first-loss coverage as user protection
The main rsETH deficit was addressed through the coordinated relief effort. This reduced EarnETH’s remaining loss to the operational cost of managing its position through the crisis: elevated borrow rates, frozen markets, delayed unwind conditions and other effects of the incident. These losses were below the standard 1% threshold, but still material enough to warrant explicit coverage.
Contributors proposed coverage to avoid leaving users with incident-related residual losses after the broader recovery effort. The effort targeted use of the existing protection mechanism for actual Kelp-related losses only. The authorized coverage totaled 143.98 ETH and was deployed to make EarnETH users whole for the residual operational losses tied directly to the Kelp incident, with full deposit and withdrawal functionality restored on May 15, 2026 at 17:15 UTC.
5. What Worked Well
Once alerted, the Lido and Mellow teams escalated the incident and moved quickly from investigation to action. However, initial detection depended on an external community signal, which is addressed in the gaps section below. Deposits were disabled, vault flows were paused, public comms went out, and the team started coordinating with Mellow, Aave, Kelp and other stakeholders.
The pause decisions stopped new users from entering the vault during unclear price discovery, and prevented unfair exits while the rsETH haircut, recovery path and unwind conditions were still unknown.
The unwind was actively managed throughout. The team used available liquidity windows to deleverage and reduce negative carry where market conditions allowed. This resulted in 143.98 ETH residual losses instead of 400-600 ETH projected initially.
The verifier setup and integration design allowed the team to add and use additional unwind routes during the incident. This helped reduce exposure through venues that were not part of the original steady-state path.
The Lido DAO had a path to support recovery at the rsETH level, and the first-loss mechanism gave EarnETH a way to cover residual user losses after the broader recovery effort.
6. What Did Not Work Well
The Lido Earn team was alerted to the exploit via an external community signal at 18:53 UTC, 78 minutes after the LayerZero compromise at 17:35 UTC. For an asset EarnETH held material levered exposure to, the supply side of rsETH should be monitored directly, not picked up secondhand. This includes anomalous mints, sudden total-supply changes, and unexpected bridge activity.The incident exposed gaps in the EarnETH risk framework; the strategy risk was harder to contain than it should have been.
The main gap was the risk model’s blind spot with respect to secondary effects. Direct rsETH exposure was understood and tolerated, but contagion through Aave market stress was not priced in. This includes elevated borrow rates on adjacent leveraged positions produced operational losses, and foregone yield on legs that had nothing to do with rsETH itself. Second-order impacts on positions that aren’t the source of a shock need to be a first-class output of future risk models.
The second gap was sizing, due diligence and exit planning for larger allocations. For strategies that can create material vault-level exposure, standard asset and protocol review is not enough; reviews should include stress-exit conditions where the position cannot be unwound for several days. For large or levered positions, acceptable unwind routes, pause triggers, collateral actions and “do not defend above this haircut” thresholds should be defined before capital is deployed rather than during an active incident.
The third gap was activation logic for layered protection. If the residual loss had been only leverage-loop bleeding, first-loss would not have been activated. What was not defined was the in-between case: how to handle a small residual haircut when the DAO-level support has already covered the bulk of the underlying shortfall through a separate mechanism, and under what conditions Lido steps in directly with balance-sheet support rather than relying on the first-loss fund. Those two scenarios need to be nailed down upfront, not decided during an incident.
The main lesson is that larger allocations need a stricter framework: deeper due diligence, tighter exposure limits, explicit pricing of secondary effects, predefined exit plans and clearer protection triggers.
7. What Will Change
For assets where EarnETH carries material exposure, supply-side signals, including anomalous mints, sudden total-supply changes, bridge activity, and oracle inconsistencies, will be tracked directly, so that detection no longer depends on external community channels or downstream protocol reactions.
Risk review will move from asset-level to allocation-level. For larger allocations, it is not enough to ask whether the asset, protocol or curator looks sound in isolation, the review has to price how stress in the broader ecosystem could flow back into adjacent vault positions, and secondary-effect exposure becomes a first-class output of the review.
Every material allocation will be stress-tested under combined-failure conditions before deployment, not just isolated single-factor shocks. Incidents do not fail one module at a time, and the framework needs to reflect that.
Exposure caps for external protocol risk will be tightened, especially for assets with high oracle uncertainty, unclear socialized-loss mechanics or limited unwind liquidity. Cap sizing will reflect exit quality and the cost of being wrong, not just expected return. Strategies with weak unwind paths will get smaller allocations even when the headline APY is attractive.
Recursive and looping strategies will require deeper pre-deployment review. These positions can look manageable in normal conditions and become hard to exit precisely when exit matters. The review must include adverse-market unwind assumptions, including time-to-exit, cost-to-exit, and defend-vs-unwind thresholds, with explicit curator sign-off.
“Yield attractiveness” and “stress-exit quality” will be separated in allocation scoring. A strategy can have strong expected APY and still be a bad fit for a protected vault if its downside path is unclear.
The protection stack itself will be formalized before the next incident. First-loss activation criteria, curator participation, DAO involvement, and user-facing pause decisions will be defined in advance, including the two scenarios this incident exposed: how to handle a residual user haircut when the DAO has already covered the bulk of the loss through a separate mechanism, and the criteria for Lido stepping in with direct balance-sheet support. Governance response criteria should be predictable before stress events.
Emergency communications and UI controls will also be revised. Future pauses, scope and key decision points will be published faster and explained more clearly to users, reducing reliance on ad hoc coordination during stress.
