AAVE’s price fell about 15% on April 19 after a hacker used unbacked rsETH as collateral to drain liquidity from the protocol, prompting a rapid series of large on-chain sales by major token holders.
Blockchain analyst Ember reported that three whale addresses collectively sold 59,680 AAVE shortly after the exploit, adding to the downward pressure and driving a surge in on-chain trading activity.
Three large addresses unload nearly $6 million in AAVE
On-chain data shows three key wallets exiting sizable AAVE positions in close succession:
- The address linked to the Polymarket user “smaugvision” sold 20,015 AAVE for roughly $2.06 million, at an average price of $102.9 per token.
- A second address, 0xFC5, sold 20,000 AAVE for about $2.05 million at $102.8 per token.
- A third address, 0xA2E, offloaded 19,665 AAVE for approximately $1.95 million at $99.2 per token.
These sales followed the security incident and were preceded by AAVE moving out of lending protocols into external wallets before being sold, indicating a deliberate exit sequence.
Exploit originated from KelpDAO rsETH bridge, not Aave contracts
Subsequent analysis shows the vulnerability did not arise from Aave’s core smart contracts, but from KelpDAO’s rsETH cross-chain bridge.
The attacker was able to:
- Illicitly mint about 116,500 rsETH without backing, with an estimated notional value of around $292 million.
- Deposit this unbacked rsETH as collateral on the lending platform.
- Borrow other assets, including a substantial amount of ETH, against that fraudulent collateral.
Because the rsETH was not properly backed, the borrowed positions left the lending protocol exposed once the exploit was uncovered and the collateral proved effectively worthless.
Potential $177 million in bad debt on the lending protocol
The use of unbacked rsETH as collateral has left the platform facing an estimated $177 million in bad debt. Since the fraudulent collateral cannot be liquidated to recover the borrowed funds, the deficit sits directly on the protocol.
This incident adds to a broader pattern in 2026, with decentralized finance platforms already losing more than $169 million to hacks and exploits in the first quarter alone. It highlights how cross-protocol and cross-chain integrations can propagate risk far beyond the original point of failure.
Governance moves to contain damage
In response, Aave’s governance bodies moved quickly to limit further impact:
- rsETH markets on Aave V3 and V4 were frozen to block additional borrowing or collateral deposits using the compromised asset.
- The organization stated it will consider using its “Umbrella” backstop mechanism, a reserve framework designed to address shortfalls and systemic events.
How the bad debt is ultimately handled will be a key test of the protocol’s risk management design and governance responsiveness.
Whale behavior points to automated risk systems
On-chain patterns across the three large addresses show:
- Similar timing in withdrawals and sales.
- Movement of tokens from lending protocols to external wallets just before liquidation.
- Highly synchronized exits that align closely with the unfolding of the exploit.
Analysts say these parallels suggest the use of automated strategies or shared risk-monitoring tools that flag protocol-level threats and trigger rapid de-risking. The activity implies that whale wallets may be running unified alert systems tuned to on-chain security signals rather than simple price movements.
Defi contagion risk and market implications
The incident underscores the structural risk in interconnected DeFi systems:
- A flaw in KelpDAO’s rsETH bridge led to unbacked tokens.
- Those tokens were accepted as collateral on a separate lending platform.
- The resulting exploit generated both a sharp token price drop and a large pool of bad debt.
The coordinated selling by large holders shows that sophisticated traders tend to exit aggressively when trust in collateral verification is damaged, prioritizing capital preservation over potential rebound gains.
What traders are watching next
Market participants active in these ecosystems are now focusing on several fronts:
- Collateral quality and bridges: Reassessing the security of not only lending platforms themselves but also the bridges and staking derivatives used as collateral.
- Governance response: Tracking how Aave’s governance and development teams manage the $177 million shortfall, including any use of backstop mechanisms and potential recovery plans.
- Whale flows: Monitoring large wallet activity following security alerts as a real-time gauge of sentiment among the most informed and best-equipped market participants.
The coming weeks will likely determine whether the protocol can contain the damage, restore confidence, and adjust its risk controls to better account for cross-protocol and cross-chain collateral failures.
Worried about hacks and price crashes? Learn key crypto safety strategies to better protect your portfolio from sudden market shocks.
Disclaimer: The content on this page is provided for general informational purposes only and does not represent the views or financial advice of Toobit. We make no guarantees regarding the accuracy or completeness of this information and shall not be held liable for any errors, omissions, or outcomes resulting from its use. Investing in digital assets involves risk; users should independently evaluate their financial situation and the risks involved. For further details, please consult our Terms of Service and Risk Disclosure.
