A critical exploit of KelpDAO’s cross-chain infrastructure has left lending platform Aave with hundreds of millions of dollars in bad debt and triggered a full-blown liquidity crunch in its ETH markets, according to on-chain data from April 18–19.
Attacker mints $292 million in rsETH and drains Aave
On April 18, an attacker exploited a vulnerability in KelpDAO’s system to mint roughly 116,500 rsETH—worth about $292 million—without posting the required collateral.
These illegitimate rsETH tokens were then deposited as collateral on Aave V3 and V4, where they were treated as valid assets. Using this artificial collateral, the attacker borrowed other assets, mainly ETH, and left the protocol with unrecoverable debt once the issue was uncovered.
Initial estimates place Aave’s resulting bad debt between $177 million and $200 million, making it the largest decentralized finance exploit of 2026 so far, surpassing the roughly $280 million loss reported by Drift Protocol earlier in the month.
ETH market locks up as utilization hits 100%
The exploit quickly triggered a rush for the exits. Large holders began pulling ETH from Aave in size as concerns about exposure to compromised rsETH spread.
ETH utilization on Aave surged to 100%, meaning all available ETH was borrowed and no liquidity remained for new loans or withdrawals. This effectively froze parts of the lending market and amplified the stress on Aave’s balance sheet.
Historically, large holders have used lending markets for leveraged yield, arbitrage, and rate strategies. This time, their behavior flipped from risk-taking to capital preservation, as they unwound positions to reduce any connection to KelpDAO-linked assets.
KelpDAO pauses contracts and blocks follow-up attacks
Following the discovery of the exploit, KelpDAO moved to pause affected smart contracts on mainnet and several Layer-2 networks in an attempt to contain the damage.
KelpDAO reported that two further attempts to drain an additional $100 million were stopped due to these emergency measures. The team is now working with external security specialists, including LayerZero and Unichain, to perform a full root cause analysis.
KelpDAO has also opened a negotiation window for the attacker to return funds under a “whitehat” arrangement, a common tactic in DeFi incidents to recover assets and reduce losses.
Contagion shows risks of interconnected DeFi collateral
While Aave’s core smart contracts were not directly breached, its decision to accept rsETH as collateral tied its risk profile to the security of KelpDAO.
Once rsETH’s backing was compromised, Aave’s systems continued to treat it as valid collateral, effectively overvaluing an asset whose underlying support had failed. When liquidations became impractical due to instability and illiquidity in rsETH, a shortfall was locked in as bad debt.
The episode underlined how flaws in one protocol can rapidly spill over into others through shared collateral, impacting liquidity, price stability, and confidence across the broader decentralized finance ecosystem.
Market reaction and AAVE token impact
News of the exploit and the resulting bad debt weighed heavily on Aave’s native token, AAVE, which fell around 10% in the hours following the incident as markets priced in potential losses and prolonged disruption in the lending pools.
The liquidity squeeze and the visible stress in ETH markets added to uncertainty around how quickly Aave can restore normal operations and absorb the shortfall.
Aave’s “umbrella” safety module faces key stress test
Attention is now turning to how Aave’s governance community will address the deficit. Central to that response is expected to be the protocol’s upgraded “umbrella” safety module, designed as a more automated, robust backstop for such events.
Unlike the earlier safety framework, the umbrella module aims to cover deficits with fewer ad hoc governance steps, allowing faster mobilization of insurance-like reserves to recapitalize pools.
Upcoming discussions are likely to focus on:
- how much of the umbrella funds to deploy to cover rsETH-related bad debt
- in what sequence to restore liquidity to the most affected markets, particularly ETH
- how to adjust collateral standards and risk parameters for externally issued assets
Calls for stronger collateral and risk controls
Analysts say the incident reinforces the need for tighter collateral evaluation and risk containment tools across lending platforms. Key themes include:
- more rigorous due diligence on external collateral issuers such as liquid staking or synthetic asset protocols
- dynamic risk limits and caps for newer or cross-chain assets
- clearer processes to rapidly freeze or de-risk compromised collateral before losses escalate
The outcome of Aave’s response will serve as a critical trial for its new safety architecture and a reference point for how decentralized lending markets handle large-scale credit shocks linked to external protocol failures.
Worried about DeFi exploits like Aave’s? Learn core concepts and risks in our guide to what is DeFi and how it works.
Disclaimer: The content on this page is provided for general informational purposes only and does not represent the views or financial advice of Toobit. We make no guarantees regarding the accuracy or completeness of this information and shall not be held liable for any errors, omissions, or outcomes resulting from its use. Investing in digital assets involves risk; users should independently evaluate their financial situation and the risks involved. For further details, please consult our Terms of Service and Risk Disclosure.
