In April 2026, the DeFi sector faced a severe trust crisis. According to reports from AICoin and various sources, a cross-chain bridge associated with Kelp DAO recently suffered a major attack, where the attackers created approximately $292 million worth of unsecured rsETH out of thin air. These counterfeit assets were quickly deposited as collateral in lending protocols like Aave, resulting in the borrowing of real ETH, which directly led to about $200 to $230 million in bad debts for the protocol. According to analysts from JPMorgan, as a result of this chain reaction, the total value locked (TVL) in DeFi evaporated by approximately $20 billion in just a few days, exposing the systemic vulnerabilities arising from the high interconnection between protocols and triggering panic withdrawals from funds that were not directly related to the attacked assets.

Faced with the pressure of bad debts, Aave disclosed a recovery plan in collaboration with DeFi United on April 28. The core of this plan is to rebuild the asset backing of rsETH: DeFi United intends to convert the committed ETH into rsETH in batches at a ratio of approximately 1:1.07 and deposit it into the bridging custody contract. To repair the damaged market, Aave plans to execute controlled liquidations on Ethereum and Arbitrum through governance proposals, aiming to reclaim the excess collateral from around 107,000 rsETH. During the execution of the plan, WETH and rsETH reserves on chains including Ethereum Core, Arbitrum, Base, Mantle, and Linea will remain frozen. This “self-rescue experiment” surrounding cross-chain security and risk control mechanisms will directly define the narrative trajectory of DeFi in the post-crisis era and the confidence boundary of institutional investors.

rsETH Cross-Chain Attack Causes $230 Million in Bad Debts

The trigger for this crisis stems from the fatal blow suffered by the cross-chain bridge associated with Kelp DAO in April 2026. Reports from AICoin and multiple media outlets citing JPMorgan’s research indicate that attackers exploited a vulnerability in the cross-chain bridge to mint approximately $292 million of unsecured rsETH out of thin air. Subsequently, hackers followed a typical DeFi leverage strategy: they used these fraudulently generated rsETH as collateral, quickly injecting them into mainstream lending protocols like Aave and Compound, borrowing a large amount of real ETH and transferring it away. This operation directly led to severe insolvency in the rsETH positions within the lending protocols, with statistics showing that the bad debts generated amounted to as much as $200 to $230 million.

This attack not only severely impacted holders of rsETH but also triggered systemic shocks within the DeFi ecosystem. Although the attack specifically targeted certain assets, panic spread rapidly due to the high interconnections between protocols, leading to significant withdrawal of funds from many DeFi pools that were not directly related to rsETH. JPMorgan's report pointed out that within just a few days following the attack, the total value locked (TVL) across DeFi networks evaporated by around $20 billion. This chain reaction exposed the vulnerabilities of the DeFi “Lego block” structure when faced with extreme security incidents, as the collapse of credit in a single asset could rapidly evolve into a global liquidity contraction through the transmission mechanisms of cross-chain bridges and lending protocols.

In terms of security tracing, LayerZero and several blockchain security researchers have attributed this attack to the North Korean hacker organization Lazarus Group, based on tracking the funds' flow on the chain. According to The Block, while some of the stolen funds have been successfully frozen, a significant portion is still being transferred through complex paths. This incident has once again brought cross-chain bridge security to the forefront. JPMorgan analysts note that the scale of losses from attacks in the crypto sector this year has reached parity with 2025, and cross-chain facilities remain the weakest link in the DeFi system, with structural flaws continuously undermining institutional investors' trust in decentralized financial protocols.

DeFi United Rebuilds rsETH Support

In response to the systemic shock caused by the $292 million unsecured rsETH, DeFi United officially announced its technical implementation plan on April 28, aiming to restore the asset backing of Kelp DAO through specified asset injection paths. According to data disclosed by Aave, the core logic of this plan is to convert the committed ETH into rsETH in batches and uniformly deposit them into the bridging custody contract. This move intends to hedge against the dilution effect caused by the hacker's minting of assets at the foundational mechanism level, aiming to re-anchor the intrinsic value of rsETH through the “backfilling” of real assets.

Regarding specific reconstruction parameters, the plan sets a target recovery level of approximately 1.07 ETH for every rsETH. This ratio is set not only to cover the existing asset gap but also to establish clear payment expectations on-chain to alleviate market panic caused by the attack. While the technical path has been clarified, the formal implementation of this plan still requires a rigorous governance approval process. According to official information from Aave, prior to completing the execution timeline and final agreement signing, the reserves of WETH and rsETH on several mainstream public chains, including Ethereum Core, Arbitrum, Base, Mantle, and Linea, will remain frozen to physically isolate risks and prevent further expansion during the repair period.

Aave Controlled Liquidation Seeks to Recover 107,000 rsETH

While isolating risks, Aave plans to initiate a “controlled liquidation” process on the Ethereum and Arbitrum networks through a governance proposal. According to an announcement released by Aave on April 28, the core goal of this action is to orderly dispose of the positions of the attackers on Aave and Compound, aiming to recover the excess collateral among approximately 107,000 rsETH. Data from AICoin shows that the attackers previously borrowed real ETH using the unsecured rsETH they generated out of thin air as collateral, resulting in a bad debt gap of approximately $200 to $230 million. Through controlled liquidation, the protocol aims to maximize the closure of non-compliant positions and repair the damaged market balance sheet without triggering a chain collapse in the market.

Compared to conventional market liquidation, this controlled mode combines the freezing of specific assets with a preset execution rhythm. Official information indicates that during the execution of controlled liquidation, reserves of WETH and rsETH on Ethereum Core, Arbitrum, Base, Mantle, and Linea will continue to remain frozen. This intervention is expected to mitigate price shocks caused by large-scale position liquidations, avoiding irrational liquidity exhaustion of rsETH in the secondary market. However, this administrative-type remedy also means that trading and leverage activities in the relevant markets will be periodically restricted, significantly compressing users' positions management space in these networks, forcing DeFi protocols' resistance to censorship and flexibility to yield to systemic safety under extreme risks.

JPMorgan: Security and TVL Suppress Institutions

According to multiple media reports citing JPMorgan’s latest reports dated April 23 to 24, the frequent security events in the DeFi sector and the stagnation of the total value locked (TVL) measured in Ethereum are becoming key factors limiting deep participation by institutional investors. The report notes that although the dollar-denominated DeFi TVL may rebound with market prices in specific periods, when measured in ETH, the overall scale remains flat over the long term, reflecting a lack of substantial endogenous growth momentum in the ecosystem.

This attack on the cross-chain bridge associated with Kelp DAO is viewed by JPMorgan as a typical case exposing systemic risks in DeFi. According to statistics and reports from AiCoin, attackers minted approximately $292 million of unsecured rsETH and used it as collateral to borrow real ETH in protocols like Aave, directly causing about $200 to $230 million in bad debts. The negative chain reaction of this event was extremely strong, resulting in a $20 billion evaporation of the DeFi market TVL in just a few days, even triggering large-scale withdrawals from funds pools not directly related to the attacked assets. This cross-protocol linkage vulnerability further corroborates that cross-chain bridges remain the weakest link in the current DeFi ecosystem.

The report further observes the user behavior patterns that emerge after the occurrence of risks. JPMorgan analysts note that following the security event in April 2026, users exhibited a clear risk-averse tendency, quickly concentrating funds into more liquid assets such as USDT. However, this tendency has not yet translated into a significant increase in USDT market capitalization, manifesting more as defensive adjustments of existing funds. JPMorgan believes that the scale of losses from hacker attacks in the crypto sector this year is similar to that of 2025, and until there is a fundamental improvement in security and underlying architectural risks, it will be a long process for institutions to regain trust in DeFi.

Morpho Halts to Address Cross-Chain Risk Spread

Following the attacks on Kelp DAO and LayerZero Bridge and the resultant systemic shocks, preventive risk isolation has become the preferred strategy for mainstream DeFi protocols. According to AiCoin news, the Morpho Association announced on April 19 that for preventive purposes, it has suspended the OFT (Omnichain Fungible Token) cross-chain bridge function for the MORPHO token on Arbitrum. This action followed closely on the heels of the rsETH attack event, indicating that when the security of underlying infrastructure is called into question, protocol parties prefer to sacrifice some interoperability to cut off potential paths for risk transmission.

In its official statement, Morpho clearly indicated that the suspension of cross-chain functionality for Arbitrum will continue until the fundamental cause of the rsETH incident is thoroughly confirmed. This “pulling the plug first, then verifying later” cautious attitude reflects the current DeFi protocols' heightened sensitivity to cross-chain security. With Lazarus Group being pointed as the mastermind and approximately $292 million of unsecured assets flowing into the market, any assets based on cross-chain standards such as LayerZero are facing potential confidence crises.

From an industry impact perspective, while these proactive defense strategies limit users' cross-chain liquidity and asset allocation experience in the short term, they have become a normalized security option to address the spillover of cross-chain bridge vulnerabilities in the current highly interconnected multi-chain ecosystem. JPMorgan’s analysis also supports this: cross-chain bridges remain the weakest link in the DeFi ecosystem, and timely functional circuit breakers to reduce risk exposure are essential means to restore institutional investor confidence and prevent the further spread of bad debts.

Reassessment of DeFi Security: rsETH Incident and Recovery

In summary of the rsETH attack incident, Aave and DeFi United's recovery plans, and JPMorgan’s institutional perspective, DeFi is at a critical stage of re-pricing the narrative of “security and growth.” Currently, the DeFi United plan has clearly identified technical implementation paths and aims to convert committed ETH into rsETH in batches to be deposited into the bridging custody contracts, striving to restore asset backing at a ratio of approximately 1 rsETH to 1.07 ETH. The subsequent core observation point will be the execution efficiency at the governance level, especially regarding Aave’s plans to reclaim excess collateral from around 107,000 rsETH through controlled liquidation on Ethereum and Arbitrum, determining how smoothly this operation can repair the damaged market and share the bad debts will directly decide the self-healing ability of DeFi protocols under extreme attacks.

Looking ahead, the outcome of this incident will guide DeFi down two distinctly different paths. If the recovery plan is successfully implemented and multi-chain assets are successfully unfrozen, this incident could become a turning point for strengthening DeFi safety standards and cross-chain collateral mechanisms, pushing protocols like Morpho from passive suspension to more mature preventive security practices. However, according to data from AICoin and JPMorgan’s analysis, the DeFi TVL measured in ETH has remained flat over the long term, reflecting a lack of growth momentum. If execution is hindered or further structural vulnerabilities are exposed, institutional investors' doubts about DeFi safety will deepen, potentially continuing to limit the scale of large funds' entry due to systemic risks caused by cross-chain bridge security flaws.

Join our community to discuss together and become stronger!
Official Telegram community: https://t.me/aicoincn
AiCoin Chinese Twitter: https://x.com/AiCoinzh
AiCoin On-Chain: https://aicoin.com/hyperliquid
AiCoin Exclusive Hyperliquid Benefits: https://app.hyperliquid.xyz/join/AICOIN88
AiCoin Exclusive Aster Benefits: https://www.asterdex.com/zh-CN/referral/9C50e2

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。