The Kelp Exploit: Assessing Positioning and the Potential Consequences for DeFi
On April 18, 2026, liquid restaking protocol Kelp experienced an exploit. An attacker was able to mint 116,500 rsETH ($290M) without backing via its LayerZero route and proceeded to borrow around $190M of ETH and related assets on the lending protocol Aave, across Ethereum and Arbitrum. This raises concerns about the possibility of bad debt accumulation, the full extent of which remains uncertain and subject to ongoing assessment. Approximately 30,000 ETH was recovered by Arbitrum after its Security Council took emergency action.
With immediate ETH recovery attempts likely complete, attention now shifts to the recovery. We explore what market positioning tells us here and examine the second order effects for the DeFi space.
Selected Market Data and Our Interpretations
AAVE fell nearly 25% in the 48 hours following the exploit as the market digested the impact on the protocol. From the lows, AAVE climbed 9%.The partial price recovery could be interpreted by some market participants as reflecting reduced concern about bad debt outcomes. Interestingly, funding did not turn strongly negative until well after the event, suggesting the initial move down was spot driven. As of the observation date, funding rates had not reflected strong net short positioning among perpetual futures traders. While funding has since normalized, AAVE’s perp futures open interest remains 45% above levels prior to the exploit, per data from Velo, suggesting positioning has not reset yet. This interpretation is speculative and price movements alone are not a reliable indicator of protocol solvency or future performance.
ZRO saw similar price action, declining 20% initially before recovering 7% from the lows. However, with its funding closer to 0%, perps traders are demonstrating more of a negative bias, which could indicate concerns over the role of its technology in the exploit. ZRO perps futures open interest is roughly flat to before the event, per data from Velo, suggesting immediate positioning has reset.
ETH performance suggests investors may be looking past the exploit. Although TVL fell 40% in the days after the event, per data from Artemis, ETH price ($2400) on April 22 was higher than at the time of the exploit ($2350). Per Coin Metrics data as of April 22, 2026, ETH perpetual futures funding rates had turned positive. This could be a signal that the value of an L1 should reflect more than the success of its DeFi ecosystem, and mirrors SOL’s full recovery after the Drift exploit earlier in the month, although the full impact of both exploits are still unknown.
Weaknesses Exposed
Bridged assets are not the same as native assets. The rsETH situation exposes risks that multi-chain tokens could be minted unbacked. The exploit illustrates that some DeFi protocols may have limited verification mechanisms for whether deposited assets are fully backed, as evidenced by the rsETH situation described above. The extent to which this applies across the broader DeFi ecosystem varies by protocol. After all, to the smart contracts, they are accepting a valid token native to the blockchain. rsETH on Aave leverages an oracle that still shows the tokens as backed, for example, not reflecting the reality in this instance.
Circuit breakers must be implemented. The fact that the attacker rapidly deposited unbacked rsETH and was able to take out $100M+ of loans without thorough checks highlights areas of improvements in the future. Protocols could seek to implement a multi-hour waiting period for large deposits to be usable and/or for large loans being taken out, giving security researchers time to monitor and respond. However, defining a large deposit will be facts and circumstances dependent and likely seen in hindsight.The extent to which this applies across the broader DeFi ecosystem varies by protocol.
Collateral and LTVs should be reevaluated. To fuel growth, many DeFi protocols accepted collateral that could have points of weakness, such as depegs or bridge vulnerabilities. To solve this, protocols may look to restrict acceptable collateral to only native, non-derivative assets, for example. However, this could result in a smaller addressable market and limit revenue potential for lending protocols. It’s also possible more restrictive LTVs could be implemented to help manage risk. Specifically for Aave, we found over 90% of its WETH borrows on ETH mainnet before the exploit were from staked or restaked collateral, highlighting the prevalence of looping strategies.
Second Order Effects
Interest rates in DeFi may rerate to better reflect risks. For the past few months, stablecoin yields across lending protocols compressed to levels below that of U.S. treasuries, marking an unusual inversion given the differing risk profiles of the two markets. On-chain lending rates may change as participants keep this in mind.
Shift to L1. Arbitrum’s move to confiscate the attacker’s ETH highlights potential concerns around decentralization of L2s, with leading L2s still at Stage 1 decentralization, per L2 Beat. This means their respective Security Councils can take action unilaterally. While the move has its merits, it also sets a precedent for user funds to be seized this way in the future. Consequently, users seeking stronger immutability guarantees may favor the L1, where similar actions require a fork and a significantly higher threshold of community consensus.
Insurance funds may need rethinking. Aave’s Umbrella staking module has around $250M of assets, but these are intended to be used for backing the specific markets. For the WETH market on mainnet, the roughly ~$50M of WETH in Umbrella pales in comparison to the estimated ~$90M of ETH bad debt, as calculated by Llama Risk. Moreover, the scenario could encourage users to withdraw from the staking module to prevent future losses on their part. This could result in a situation where Aave v3 and v4 have less of a backstop, therefore being seen as riskier.
TVL could take time to recover given AI overhang. Greater AI capabilities (Mythos) and 2 large hacks in a row (Drift and Kelp) are heightening concerns over DeFi security. With Ethereum TVL declining since the hack, users are pulling funds and may be rethinking their exposure. Some of this capital may be lost permanently as users reassess risks. DeFi protocols will need to demonstrate safeguards and implement more robust security measures to have users regain confidence.
Pooled vs isolated exposure. The exploit highlights the potential for shared liability in a pooled lending architecture where depositors of any eligible borrowable assets could be impacted by issues with a given collateral asset. This environment highlights the utility of isolated risk models. Morpho attempts to address this through its isolated vault infrastructure, while Aave v4 utilizes a hub-and-spoke model that enables compartmentalized lending and stringent collateral risk management.
Centralized or whitelisted lending may look more attractive. The episode could support the potentially more diligent risk management of CeFi lending, or the safeguards that whitelisted DeFi instances support.
The industry now has an opportunity to implement best security practices and risk management to help prevent such scenarios in the future. Ironically, it may take a page from TradFi on potential improvements, such as flags on large transactions. The improvements delivered over the coming months will be critical to bringing back confidence to the DeFi space.
This material is for informational purposes only and is only intended for sophisticated or institutional investors. Neither FalconX Limited, FalconX Bravo, Inc., FalconX Delta, Inc., FalconX Foxtrot Pte Ltd., FalconX Golf Pte Ltd., Solios, Inc., Falcon Labs, Ltd., KestrelX, Ltd., nor Banzai Pipeline Limited service retail counterparties, and the information on this website is NOT intended for retail investors. The material published on this website is not (i) an offer, or solicitation of an offer, to invest in, or to buy or sell, any interests or shares, or to participate in any investment or trading strategy, (ii) intended to provide accounting, legal, or tax advice, or investment recommendations, or (iii) an official statement of FalconX or any of its affiliates. Any information contained in this website is not and should not be regarded as investment research, debt research, or derivatives research for the purposes of the rules of the CFTC or any other relevant regulatory body.
No discussion of a particular company or product shall be considered an endorsement of such company or product. Past performance is not indicative of future results. FalconX, and its affiliated parties may hold positions in, act as a market maker for, or otherwise have a financial interest in, assets discussed herein, and may benefit from any price movements or transactions involving the subject company. This may change without notice. Prior to entering into any proposed transaction, recipients should determine, in consultation with their own investment, legal, tax, regulatory, and accounting advisors, the economic risks and merits, as well as the legal, tax, regulatory and accounting characteristics and consequences of the transaction. Pursuant to the Dodd-Frank Act, over-the-counter derivatives are only permitted to be traded by "eligible contract participants" (“ECP”s) as defined under Section 1a(18) of the CEA (7 U.S.C. § 1a(18)). Do not consider derivatives or structured products unless you are an ECP and fully understand and are willing to assume the risks.
Solios, Inc. and FalconX Delta, Inc. are registered as federal money services businesses with FinCEN. FalconX Bravo, Inc. is registered as a swap dealer with the U.S. Commodities Futures Trading Commission (CFTC) and is a member of the National Futures Association. FalconX Limited, FalconX Bravo, Inc., FalconX Delta, Inc., Falcon Labs Ltd., and Solios, Inc. are not registered with the Securities & Exchange Commission or the Financial Industry Regulatory Authority. FalconX Golf Pte. Ltd. is not required to be registered or licensed by the Monetary Authority of Singapore (MAS). MAS has granted FalconX Foxtrot Pte. Ltd. a temporary exemption from holding a license under the PSA for the payment services caught under the expanded scope of regulated activities for a specified period. FalconX Limited is a registered Class 3 VFA service provider with the Malta Financial Services Authority under the Virtual Financial Assets Act of 2018. FalconX Limited is licensed to provide the following services to Experienced Investors, Execution of orders on behalf of other persons, Custodian or Nominee Services, and Dealing on own account. FalconX’s complaint policy can be accessed by sending a request to complaints@falconx.io
"FalconX" is a marketing name for FalconX Limited and its affiliates. Availability of products and services is subject to jurisdictional limitations and capabilities of each FalconX entity. For information about which legal entities offer trading products and services, or if you are considering entering into a derivatives transaction, please reach out to your Sales or Trading representative.
This material is for informational purposes only and is only intended for sophisticated or institutional investors. Neither FalconX Limited, FalconX Bravo, Inc., FalconX Delta, Inc., FalconX Foxtrot Pte Ltd., FalconX Golf Pte Ltd., Solios, Inc., Falcon Labs, Ltd., KestrelX, Ltd., nor Banzai Pipeline Limited (separately and collectively “FalconX”) service retail counterparties, and the information on this website is NOT intended for retail investors. The material published on this website is not (i) an offer, or solicitation of an offer, to invest in, or to buy or sell, any interests or shares, or to participate in any investment or trading strategy, (ii) intended to provide accounting, legal, or tax advice, or investment recommendations, or (iii) an official statement of FalconX or any of its affiliates. Any information contained in this website is not and should not be regarded as investment research, debt research, or derivatives research for the purposes of the rules of the CFTC or any other relevant regulatory body.
Prior to entering into any proposed transaction, recipients should determine, in consultation with their own investment, legal, tax, regulatory, and accounting advisors, the economic risks and merits, as well as the legal, tax, regulatory and accounting characteristics and consequences of the transaction. Pursuant to the Dodd-Frank Act, over-the-counter derivatives are only permitted to be traded by "eligible contract participants" (“ECP”s) as defined under Section 1a(18) of the CEA (7 U.S.C. § 1a(18)). Do not consider derivatives or structured products unless you are an ECP and fully understand and are willing to assume the risks.
Solios, Inc. and FalconX Delta, Inc. are registered as federal money services businesses with FinCEN. FalconX Bravo, Inc. is registered with the U.S. Commodities Futures Trading Commission (CFTC) as a swap dealer and a member of the National Futures Association. FalconX Limited, FalconX Bravo, Inc., FalconX Delta, Inc., Falcon Labs Ltd., and Solios, Inc. are not registered with the Securities & Exchange Commission or the Financial Industry Regulatory Authority. FalconX Golf Pte. Ltd. is not required to be registered or licensed by the Monetary Authority of Singapore (MAS). MAS has granted FalconX Foxtrot Pte. Ltd. a temporary exemption from holding a license under the PSA for the payment services caught under the expanded scope of regulated activities for a specified period. FalconX Limited is a registered Class 3 VFA service provider with the Malta Financial Services Authority under the Virtual Financial Assets Act of 2018. FalconX Limited is licensed to provide the following services to Experienced Investors, Execution of orders on behalf of other persons, Custodian or Nominee Services, and Dealing on own account. FalconX’s complaint policy can be accessed by sending a request to complaints@falconx.io
"FalconX" is a marketing name for FalconX Limited and its affiliates. Availability of products and services is subject to jurisdictional limitations and capabilities of each FalconX entity. For information about which legal entities offer trading products and services, or if you are considering entering into a derivatives transaction, please reach out to your Sales or Trading representative.
