← Blog

How the EtherFi Liquid Vaults Responded to the April 18 Kelp Exploit

Notes on the Kelp incident, on-chain response, and what depositors should ask of any vault curator

DeFi 4 min read May 13, 2026
APY comparison across major ETH yield vaults as of May 12 2026, showing EtherFi Liquid ETH as the only vault paying positive APY in every measured window.
APY comparison across major ETH yield vaults as of May 12 2026, showing EtherFi Liquid ETH as the only vault paying positive APY in every measured window.

On April 18, 2026, an exploit in Kelp DAO's rsETH bridge drained approximately $292 million.

Nonce Capital curates the EtherFi Liquid vault family: Liquid ETH, Liquid USD, Liquid BTC, sETHFI, and eBTC. This post documents the response we took on-chain: when we paused, how we isolated cross-chain routes, how withdrawals reopened, and how we reduced the Aave loop while keeping exits orderly.

What happened

The exploit was at the bridge layer, not the vault layer. Stolen rsETH was bridged and used as collateral against Aave V3 Core to borrow WETH and wstETH. The downstream effect was sharp: Aave's Guardian froze rsETH markets within hours, WETH borrow rates spiked briefly above 14%, and every leveraged ETH-looper running an Aave loop felt the squeeze.

Many vaults that publicly said "no rsETH exposure" still felt the rate spike. The honest test of a curator's response on April 18 was not whether the vault held rsETH. It was what the curator did with their Aave loop when borrow rates moved.

What we did

Pause. At 22:10 UTC or 4 hours and 35 minutes after the attack, we paused the Liquid ETH, Liquid USD, and Liquid BTC Tellers in a single Safe transaction. sETHFI and eBTC followed at 22:37 UTC. The pause was on-chain before any public communication was sent out.

Isolate the LayerZero attack vector. We also stopped the LayerZero message routes on the affected Tellers. The cross-chain bridging surface was closed off independently of the deposit/withdraw pause.

Resume normal operations within 24 hours. At 05:31 UTC on April 20 the Tellers were unpaused. Deposits and withdrawals were back on and total user-facing pause window was approximately one day.

Deleverage the Aave loop, on a schedule. Over the following 24 days, we repaid approximately 268,000 WETH of Aave V3 Core debt across 18 transactions. The unwind was paced as large dumps would have moved the WETH market against every other borrower in it. The position is still active and still earning.

Harden LayerZero. On April 22, we pinned LayerZero send and receive libraries for the weETH OFT adapter on-chain. The current required-DVN configuration is verifiable through LayerZero's EndpointV2.

Maintain a buffer. We held a 200 ETH operational buffer to absorb withdrawal latency and a Uniswap V3 liquidity position to keep exits orderly during the incident window. Anyone who wanted out got out, cleanly.

What it left us with

And now, 24 days post-incident, the Liquid ETH vault is still paying positive APY across every measured window from 1 day to 90 days. And we are the only major ETH yield vault in our peer group currently doing so.

Several peer ETH yield vaults continue to remain non-yielding in short windows; with one being materially negative across all timeframes. These claims can be backed independently, with addresses linked at the end of this post.

Also, user yields held through the disruption with cross-chain bridging restored under tighter LayerZero settings than what was shipped pre-incident to further increase security standards in response.

kelp-apy-comparison.png

What depositors should verify after April 18th

The lesson from April 18 is not that every vault needs the same strategy. It is that vault returns depend on operational decisions when connected markets break. If you are underwriting an LST/LRT vault, the APY is only one part of the question.

  1. What did the vault do when WETH borrow rates moved?

After April 18, the relevant question went beyond direct rsETH exposure. The Kelp exploit affected more than vaults that held rsETH because the stress moved into Aave borrow markets. Any leveraged ETH vault with Aave exposure had to manage that shock. The useful answer is the transaction record showing what changed.

  1. What can the vault pause, and how quickly can it reopen?

Deposits, withdrawals, cross-chain routes, and strategy execution can each carry different risks. The key question is what authority is required, what remains available to users, and what conditions must be met before the vault reopens.

On the operational tempo

A fast response matters, but so does the path a transaction takes before it reaches mainnet. We operate through reviewed transactions and approved control paths, which adds latency by design.

The same process that took time on April 18 kept each action on-chain, verifiable, and accountable. We continue to look for ways to shorten that path while preserving the review that made the response verifiable.

That operating discipline does not show up in an APY chart, but it matters when markets break.

Verification

Each row in the comparison table is independently verifiable on vaults.fyi:

Key on-chain transactions referenced in this post:

The items above are referenced in the timeline of this post.

Nonce Capital curates the EtherFi Liquid vault family. Follow @noncecap on X for more research notes and analysis.