Talos flags KelpDAO rsETH exploit as major DeFi shock
Talos has published an analysis of the KelpDAO rsETH exploit and the DeFi liquidity disruption that followed, describing the incident as one of the largest liquidity shocks in decentralised finance this year.
The report focuses on an attack that exploited KelpDAO's rsETH bridge configuration, leading to the minting of unbacked tokens and the draining of about 116,500 rsETH, worth roughly USD $290 million. That represented about 18% of the token's supply.
Talos said the attacker targeted a LayerZero decentralised verifier network setup that relied on a single verifier. The incident has heightened concerns about risks in cross-chain infrastructure, where bridge design can create weak points that extend beyond a single protocol.
After minting the unbacked rsETH, the attacker used the tokens as collateral on lending protocols, including Aave. This allowed the borrower to withdraw WETH, pushing the Aave v3 WETH market to 100% utilisation and draining the pool's available liquidity.
The disruption then spread across DeFi markets. Fears of bad debt triggered broader capital withdrawals, sending utilisation sharply higher across USDC and USDT pools. More than USD $9 billion in deposits were withdrawn from Aave, according to the analysis.
Collateral risk
The episode has intensified debate over collateral structures in decentralised finance, especially when derivative assets are used in core lending markets. Assets such as rsETH carry several layers of exposure, including staking, restaking, bridge operations and lending activity, which can amplify losses when one part of the chain fails.
That layering means problems can move quickly between markets that may appear separate. A token created in one protocol can be pledged in another, borrowed against in a third, and used to support liquidity elsewhere, increasing the risk of contagion.
Talos said the exploit showed how these links can turn a technical weakness into a market-wide funding problem. The report presents the event as an example of stacked risk becoming visible only when liquidity begins to disappear.
Market response
The shock comes amid closer scrutiny of stablecoin and DeFi market structure. Liquidity conditions in decentralised lending pools remain central to trading activity across digital assets, and heavy withdrawals from large venues such as Aave can quickly affect pricing, collateral values and borrowing costs.
By tracing the movement of funds through lending pools, the analysis suggests the main risk was not limited to the initial theft. Greater pressure emerged when unbacked assets were admitted to broader collateral frameworks, and confidence in the pool's solvency weakened.
The sequence is likely to sharpen questions about how lending protocols assess collateral quality and whether bridge-based assets should be subject to tighter controls. It also highlights the challenge for DeFi platforms seeking to support increasingly complex yield-bearing instruments without importing hidden dependencies into their core markets.
Tanay Ved, Senior Research Associate at Talos, said the incident shows how tightly connected decentralised markets have become.
"As DeFi becomes more interconnected, isolated vulnerabilities can propagate rapidly across the stack. In this case, a single point of failure in cross-chain verification enabled the minting of unbacked assets, which were then introduced into lending markets and quickly escalated into a broader liquidity crunch."
"What's notable is how many layers of risk were effectively bundled into a single asset, spanning restaking protocols, bridge infrastructure and lending markets, allowing the shock to transmit far beyond the initial exploit," said Ved.
"The incident reinforces the importance of robust collateral frameworks, particularly as more complex, yield-bearing assets are integrated into core DeFi markets. As the ecosystem matures, risk management will need to evolve from protocol-level considerations to a more holistic view of how assets behave across interconnected systems."