Aave Estimates $124M–$230M in Bad Debt Following Kelp Exploit

Aave service providers released an incident report on Monday quantifying the protocol's exposure to the Kelp DAO rsETH bridge exploit from April 18. They outlined two bad-debt scenarios, ranging from $123.7 million to $230.1 million, and recommended an immediate pause of Aave's Umbrella safety module. The report, posted on the Aave governance forum, states that 89,567 of the 116,500 rsETH stolen from Kelp's LayerZero bridge were deposited into Aave across seven attacker-controlled wallets. These positions borrowed 82,650 WETH, valued at roughly $190.86 million, alongside 821 wstETH, worth approximately $2.33 million. The single largest position was on Aave's Ethereum Core market. One wallet supplied 53,000 rsETH and borrowed 52,460 WETH, equating to roughly $121 million. The rest of the positions were spread across Aave's Arbitrum deployment. All attacker positions currently maintain health factors between 1.01 and 1.03. These are dangerously close to liquidation thresholds but remain active as of the report. I would monitor how governance responds to the Umbrella pause proposal and whether the health factors deteriorate before any action is taken.