Lido DAO put forward a governance proposal on Thursday to deploy up to $5.8 million in staked ETH (stETH) to cover residual losses in its EarnETH vault following the April 18 exploit that drained approximately $292 million from Kelp DAO's cross-chain bridge. The proposal represents a notable DAO treasury response to third-party protocol risk, and arrives as negotiations over loss distribution continue across multiple affected protocols.

---

The Exploit, in Brief

At 17:35 UTC on April 18, an attacker extracted 116,500 rsETH tokens from Kelp DAO's LayerZero-powered bridge. Kelp DAO is a liquid restaking protocol that accepts tokens like stETH as deposits, routes them through EigenLayer for additional yield, and issues rsETH as a tradeable receipt. The 116,500 tokens stolen represented roughly 18% of rsETH's entire circulating supply at the time of the attack.

The attacker exploited a weakness in Kelp's bridge configuration. LayerZero's cross-chain messaging system relies on Decentralized Verifier Network (DVN) attestations to confirm transfers between blockchains. Kelp's bridge required only a single DVN attestation, a minimal-security configuration that allowed the attacker to forge a cross-chain message and authorize the drain. The attacker had pre-funded wallets through Tornado Cash roughly 10 hours before striking. Kelp's emergency multisig paused the protocol 46 minutes after the initial drain, blocking two follow-up attempts that would have pulled an additional 40,000 rsETH each. As a downstream consequence of the exploit, rsETH became stranded across more than 20 chains, including Base, Arbitrum, Linea, and Scroll, leaving token holders unable to move or redeem their holdings across those networks.

Rather than dumping rsETH on the open market, the attacker deposited 89,567 rsETH as collateral on Aave V3 and borrowed approximately $190 to $236 million in ETH and related assets across Ethereum and Arbitrum. Approximately $70 million in ETH has since been recovered, and Arbitrum's Security Council used emergency governance powers to freeze another $71 million (30,766 ETH) on-chain. These figures represent two separately reported recovery actions; it has not been independently confirmed whether any portion of the frozen funds is already counted within the $70 million recovery total.

---

Lido's Exposure and the $5.8M Proposal

Lido's EarnETH vault had roughly $21.6 million in rsETH exposure through a leveraged position on Aave, about 9% of the vault's total value locked. EarnETH is a yield-optimization product within Lido's newer "Earn" suite that pursues higher returns by taking leveraged positions across DeFi protocols, making it more exposed to third-party risk than Lido's core staking contracts.

Lido had a $3 million first-loss protection buffer already in place, funded from a $5 million DAO treasury allocation approved in March 2026. That buffer was designed so DAO-owned vault shares absorb losses before user funds are affected. The new $5.8 million stETH proposal suggests the shortfall may exceed that initial cushion, though the $5.8 million figure has not been independently verified against the Lido governance forum and should be treated as preliminary pending confirmation. The use of stETH, a yield-bearing asset, rather than Lido's governance token (LDO) is notable: it means the DAO is committing productive capital to cover user losses.

Lido stated clearly that its core staking products are not at risk. "The rsETH issue does not involve the Lido staking protocol itself," the team said in a statement reported by crypto.news. "stETH and wstETH remain unaffected and continue to operate normally." EarnETH deposits and withdrawals remain paused while recovery and loss-distribution talks continue.

The complexity of those talks is underscored by Aave's own potential exposure. Aave faces estimated bad debt in the range of $124 million to $177 million under conservative projections and $200 million to $230 million under higher estimates, stemming from the rsETH collateral the attacker deposited before borrowing against it. Those figures help explain why loss-distribution negotiations are extending across multiple protocols simultaneously.

---

Broader Market Impact

The exploit triggered a significant confidence shock across DeFi. Aave, which is central to the attacker's exit strategy and holds rsETH collateral, froze its rsETH markets as a precaution. Aave founder Stani Kulechov confirmed publicly that Aave's contracts were not compromised and characterized the freeze as a precautionary measure rather than a response to any breach of the protocol itself. Aave's total value locked dropped from roughly $26.3 billion to $20 billion in the days following the attack. Aave's token fell 10 to 17%, and LayerZero's ZRO token dropped around 12%. Total DeFi TVL fell more than $13 billion over 48 hours.

Prediction markets on Polymarket placed only a 14% probability on Kelp distributing losses across all rsETH holders as of April 22, suggesting traders do not expect a Bitfinex-style universal loss haircut for token holders (where losses were distributed proportionally across all customers).

Kelp and LayerZero have publicly traded accusations over responsibility. Kelp argued that LayerZero's default security configuration was inadequate; LayerZero responded that Kelp had chosen a minimal-security bridge setup.

---

Regional Stakes

The exploit carries particular weight in markets where DeFi serves as practical financial infrastructure rather than speculative activity. In Nigeria, Africa's largest crypto market by volume, Aave has been widely used as a lending market by users with limited access to traditional credit. The protocol's temporary freeze and TVL collapse directly affect those users.

Kenya-based outlet BitKE flagged a separate concern around Arbitrum's Security Council freeze: a 12-member council overriding on-chain transaction finality creates tension with the censorship-resistance narrative that drives adoption across markets with capital controls or fragile banking systems. BitKE and other industry observers have argued that if a governing council can freeze assets, the trustlessness that DeFi promises to users in those markets becomes conditional rather than absolute.

In India, where restaking protocols have gained traction among tech-literate retail users seeking dollar-denominated yield, the exploit will likely sharpen regulatory scrutiny from the Financial Intelligence Unit and Ministry of Finance, both of which have been tightening oversight of crypto infrastructure.

In Pakistan and Bangladesh, the stakes have a different character. Crypto adoption in both countries has been driven primarily by remittance use cases and the need for dollar-denominated liquidity rather than yield-seeking. Users in these markets depend on DeFi liquidity conditions through protocols like Aave as a practical alternative to costly remittance corridors, and a sustained contraction in available liquidity following the exploit puts those use cases under pressure as well.

---

What Comes Next

The Kelp exploit is the second major attack in three weeks to target cross-chain infrastructure rather than individual smart contracts. A North Korea-linked attack targeted Drift Protocol for $270 to $285 million on April 1. One security analyst quoted by CoinDesk described the pattern in precise terms: "This is not a series of incidents; it is a cadence."

Lido's governance vote on the $5.8 million stETH allocation will be a near-term test of whether DAOs can respond to external protocol failures with speed and credibility. For developers building on LayerZero or similar messaging systems, the immediate takeaway is practical: single-attestation bridge configurations carry demonstrated systemic risk that reaches well beyond any one protocol.