Kelp DAO Exploit Sparks Aave Liquidity Crunch, $6.2 Billion Withdrawal Panic – Decrypt

In short
Aave customers struggled to withdraw funds from Aave after attackers borrowed with stolen rsETH on the platform, spiking a core market’s so-called utilization price.
The funds have been plundered from a LayerZero-powered bridge, in what onlookers described as DeFi’s largest exploit up to now this 12 months.
Early Sunday, DefiLlama’s 0xngmi mentioned Aave had confronted $6.2 billion in internet withdrawals, whereas Spark’s monetsupply.eth pointed to “unfavorable secondary results.”
Lower than a day after attackers drained $291 million in crypto from infrastructure linked to decentralized finance undertaking Kelp DAO, customers on Aave, one in all DeFi’s most battle-tested protocols, struggled to withdraw funds amid a liquidity crunch.A bridge that sometimes permits customers to maneuver an asset referred to as rsETH from one community to a different was exploited on Saturday, prompting Aave to freeze markets tied to the token, which attackers had used to borrow funds from the platform, the lending protocol mentioned in an X publish.In the meantime, Kelp DAO mentioned in an X publish that it had “paused rsETH contracts” throughout Ethereum’s mainnet and a number of other layer-2 scaling networks because it investigates suspicious exercise.
Earlier at present we recognized suspicious cross-chain exercise involving rsETH. We've got paused rsETH contracts throughout mainnet and a number of other L2s whereas we examine.
We're working with @LayerZero_Core, @unichain, our auditors and prime safety specialists on RCA.
We'll preserve you…
— Kelp (@KelpDAO) April 18, 2026The attackers’ exercise on Aave brought on the so-called utilization price of a core lending pool to spike to 100%, signaling that customers who beforehand deposited Ethereum and wrapped Ethereum have been left with little to no liquidity to withdraw, Aavescan knowledge confirmed.An hour earlier than Aave locked down the markets, blockchain safety agency PeckShield flagged a transaction exhibiting 116,500 rsETH, price $291 million on the time, flowing to a recent pockets.The attackers didn’t abscond with rsETH that had been maliciously launched from the bridge. Somewhat, they used Aave to borrow common funds, creating “large dangerous debt,” Francesco Andreoli, head of developer relations at Consensys and MetaMask, mentioned in an X publish. (Disclaimer: Consensys is one in all many buyers in an editorially unbiased Decrypt.)Aave’s governance token plunged to $90.13 on Sunday, a 16% lower over the previous day, in response to CoinGecko. Ethereum fell 2% to $2,300 over the identical interval.As customers struggled to withdraw from Aave, they started borrowing towards their deposits in stablecoins, straining the liquidity additional as an indication of “unfavorable secondary results,” mentioned monetsupply.eth, the pseudonymous head of technique at DeFi undertaking Spark, in an X publish.The Kelp DAO exploit and ensuing fallout on Aave prompted a large wave of withdrawals from a number of DeFi protocols, even those who have been unaffected, in response to 0xngmi, the pseudonymous co-founder of information supplier DefiLlama. On a internet foundation, customers had yanked $6.2 billion from Aave alone by early Sunday, they mentioned in an X publish.
The Aave scenario is dangerous and getting worse. A number of different swimming pools are hitting 100% utilization, leaving lenders caught and the protocol susceptible to additional dangerous debt.
Lending charges have elevated to 10-15%, a notable improve however nonetheless not an applicable reward for the perceived…
— Stop (@0xQuit) April 19, 2026With contagion showing to unfold, DeFi’s newest exploit supplies “numerous ammo” for critics skeptical of methods that search to interchange conventional monetary intermediaries with code, Salman Banei, common counsel at Plume, a community targeted on tokenization, mentioned in an X publish.Kelp DAO points rsETH, a liquid staking token that enables customers to earn Ethereum staking and EigenLayer restaking rewards. It acts as a tradeable “receipt” for Kelp DAO depositors. The Kelp DAO bridge was constructed on prime of infrastructure designed by LayerZero, a protocol that enables DeFi functions to ship messages and switch belongings throughout blockchains.Stacy Muur, a famous blockchain researcher, mentioned in an X publish that the exploit appeared to depend on a single level of failure. She wrote {that a} “phantom” message utilized by attackers primarily tricked Kelp DAO’s bridge into releasing rsETH on Ethereum with out eradicating a corresponding quantity of tokens from circulation on Ethereum layer-2 Unichain.Nonetheless, some onlookers have been desperate to discover a path ahead, together with crypto entrepreneur and Tron founder Justin Solar. He tried to barter, arguing that the attackers would in the end battle to spend the stolen funds.“How a lot [do] you need?” he requested them in an X publish. “It’s merely not price it to sacrifice each Aave and Kelp DAO and allow them to go down over this hack.”Day by day Debrief NewsletterStart day by day with the highest information tales proper now, plus authentic options, a podcast, movies and extra.