Over $8.6B Drained From Aave as Kelp DAO Hack Triggers Massive DeFi Exodus
BinanceEXCHANGEAave's TVL plunged from $26.3B to $17.7B in two days after hackers exploited Kelp DAO's cross-chain bridge, stealing $293M in rsETH and creating $195M in bad debt across lending protocols.
Aave Loses $8.6 Billion in Two Days
The leading DeFi lending protocol Aave experienced a dramatic $8.6 billion outflow over just 48 hours. According to DefiLlama data, the platform's total value locked (TVL) plummeted from $26.3 billion to $17.7 billion as investors rushed to withdraw funds following the exploitation of liquid restaking protocol Kelp DAO.
The AAVE token dropped more than 15%, falling to $91. Its market capitalization contracted from $1.8 billion to $1.3 billion.
USDT and USDC pools on Aave v3 have been completely depleted. Assets worth $5.1 billion are frozen — withdrawals are only possible once fresh liquidity flows in or existing loans are repaid.
Inside the Kelp DAO Exploit
The panic was triggered by an attack on Kelp DAO's cross-chain bridge, built on LayerZero infrastructure. On April 18, attackers extracted 116,500 rsETH worth $293 million.
The stolen tokens were deposited into Aave v3 as collateral, allowing the hackers to borrow wETH against them. They took out approximately $196 million directly from Aave, while their combined positions across Aave, Compound, and Euler totaled around $236 million.
On-chain analysts Lookonchain estimated the resulting hole in the project's balance sheet at roughly $195 million — funds that are effectively unrecoverable.
"Due to the KelpDAO exploiter borrowing over 82,600 $ETH ($195M) from #Aave using $RSETH as collateral, bad debt has appeared on #Aave. Many whales have withdrawn funds from #Aave, causing its TVL to drop from $26.396B to $20.114B — a decline of $6.28B." — Lookonchain (@lookonchain), original post
Curve Finance founder Michael Egorov noted that Aave and other protocols now hold hundreds of millions of dollars in questionable collateral and irrecoverable debt. He pointed out that Aave holds rsETH that cannot be sold while all ETH has been borrowed out — making Ethereum withdrawals impossible.
Why This Matters
The incident exposed a systemic vulnerability in DeFi lending: tokens from a compromised protocol can be used as collateral on other platforms, spreading the damage across the entire ecosystem. Total DeFi TVL collapsed from $99.4 billion to $85.8 billion — a $13.6 billion decline.
The contagion spread to Solana as well. Journalist Colin Wu reported a sharp spike in deposit rates and utilization ratios across several USDC markets on Kamino, Solana's leading lending protocol. The $178 million USDC reserve on the Prime Market was fully exhausted, and utilization across multiple other vaults exceeded 95%.
The rsETH markets on Aave v3 and v4 have been frozen to prevent further suspicious activity. wETH reserves are locked on Ethereum, Arbitrum, Base, Mantle, and Linea.
"The rsETH markets on Aave V3 and Aave V4 have been frozen. Aave's contracts have not been exploited and this is an exploit related to rsETH. The freeze follows an exploit of the Kelp DAO rsETH bridge." — Aave (@aave), original post
The Aave team initially claimed its Umbrella reserve fund would cover any shortfall but later softened the language to "exploring compensation pathways." Several projects — including Curve Finance and Ethena — suspended use of the Kelp DAO bridge, along with other networks and protocols that interact with rsETH or LayerZero.
LayerZero Investigation Points to North Korean Hackers
Kelp DAO continues investigating the root cause of the breach. Meanwhile, LayerZero developers released preliminary findings from their internal probe.
LayerZero (@LayerZero_Core) announcement
According to their analysis, the attack was carried out by North Korean hackers — specifically the TraderTraitor group, linked to previous exploits of Ronin ($625 million), Bybit ($1.5 billion), and Drift Protocol ($280 million).
The attack vector was as follows: the hackers gained access to the list of RPC servers used by LayerZero Labs' Decentralized Verifier Network (DVN). They poisoned two of these servers, forcing them to deliver a fraudulent cross-chain message to the DVN. Simultaneously, attackers launched a DDoS attack against clean servers to ensure the network relied on the compromised nodes.
Kelp DAO operated a single DVN configuration without redundancy (1/1), meaning no independent verifier could intercept and reject the forged message. LayerZero developers emphasized that they had previously advised the project on DVN diversification best practices, but the recommendations went unheeded.
LayerZero confirmed that the compromise did not affect other assets or applications. The team continues working with law enforcement agencies and tracking the stolen funds.
Frequently Asked Questions
How much was stolen in the Kelp DAO hack?
Hackers extracted 116,500 rsETH worth $293 million from Kelp DAO's cross-chain bridge. They used the stolen tokens as collateral to borrow across Aave, Compound, and Euler, with total positions reaching approximately $236 million.
Why did Aave TVL drop after the Kelp exploit?
Hackers deposited stolen rsETH as collateral on Aave and borrowed wETH against it, creating approximately $195 million in bad debt. This triggered a mass withdrawal by investors, causing TVL to plunge from $26.3 billion to $17.7 billion in just two days.
Who was behind the Kelp DAO bridge attack?
LayerZero's internal investigation identified the North Korean hacking group TraderTraitor as responsible. This group has been linked to previous exploits including Ronin ($625M), Bybit ($1.5B), and Drift Protocol ($280M).
Are Aave funds safe after the Kelp DAO hack?
Aave's own contracts were not exploited — the breach originated from Kelp DAO's bridge. However, USDT and USDC pools on Aave v3 are fully depleted, and $5.1 billion in assets are frozen until new liquidity arrives or loans are repaid.
How did hackers exploit Kelp DAO's LayerZero bridge?
Attackers poisoned two RPC servers used by LayerZero's Decentralized Verifier Network and launched a DDoS attack on clean servers. Because Kelp DAO used a single DVN configuration (1/1) without redundancy, the forged cross-chain message passed through unchecked.
Read also
Weekly Recap: Aave Ecosystem Rescue Mobilizes 100,000 ETH and Quantum Computer Cracks 15-Bit ECC Key
Bitcoin held near $78,000, the DeFi community rallied over 100,000 ETH to help Aave recover from the Kelp hack, and a researcher cracked a 15-bit ECC key on a quantum computer.
Drift Protocol Hack Victims File Class Action Lawsuit Against Circle Over $230M in USDC
Over 100 victims of the Drift Protocol exploit have filed a class action lawsuit against Circle in Massachusetts court, accusing the USDC issuer of negligence and enabling hackers.
AI Audit Uncovers Critical Liveness Bug in Ethereum's Nethermind Client
Octane Security's AI discovered a high-severity vulnerability in the Nethermind execution client that could have halted block production for 38% of Ethereum mainnet validators. The Ethereum Foundation awarded a maximum $50,000 bounty.
TON Wallet Introduces Yield Vaults for BTC, ETH, and USDT Directly in Telegram
TON Wallet has launched yield vaults for BTC, ETH, and USDT directly within Telegram, offering up to 18% APY on stablecoins through partnerships with Morpho, TAC, and Re7.
Stablecoin Transfer Volume Hits $10.5 Trillion in January — Highest Since April 2022
January stablecoin transaction volume surpassed $10.5 trillion, marking the highest monthly figure since April 2022. USDC led transfers while USDT maintained market cap dominance.
Top 10 Dollar Stablecoins in 2026: From Dominant Players to Exit Candidates
The stablecoin market has surpassed $311 billion in total capitalization. Here's a breakdown of the ten largest USD-pegged stablecoins — from undisputed leaders Tether and Circle to ambitious newcomers.