Aave Protocol Faces Over $100 Million in Potential Bad Debt, Loss Scale Depends on Allocation Plan

BroadChain has learned that at 10:16 on April 21, according to TechFlow, Aave risk service provider LlamaRisk released a report stating that on April 18, an attacker exploited a vulnerability in Kelp's LayerZero V2 Unichain to Ethereum rsETH routing, forging data packets to illegally release 116,500 rsETH. Of these, 89,567 rsETH were deposited as collateral into multiple Aave V3 markets, allowing the attacker to borrow approximately 82,650 WETH and 821 wstETH. Currently, the adapter holds only 40,373 rsETH, creating a significant gap compared to the total claim amount of 152,577 rsETH on the remote chain. Depending on the loss allocation method, Aave faces two potential bad debt scenarios: if losses are globally shared, the estimated bad debt is approximately $123.7 million, with Ethereum Core bearing the greatest pressure; if losses are limited to L2, the estimated bad debt is about $230.1 million, with Mantle's WETH reserve gap reaching as high as 71.45% and Arbitrum at 26.67%. Following the incident, Aave protocol guardians have frozen all related reserves across 11 markets and set LTV to zero, while also adjusting WETH interest rates and freezing borrowing. The Aave smart contracts themselves were not attacked, and the protocol logic is functioning normally. The Aave DAO treasury currently holds approximately $181 million in assets, providing some coverage capacity. Subsequent handling will depend on Kelp's official decision regarding loss allocation.