TLDR
- KelpDAO’s bridge suffered a security breach resulting in losses between $292–$293 million, leading to a $13.21 billion decline in DeFi’s total value locked within two days
- Attackers obtained 116,500 rsETH tokens and exploited them as illegitimate collateral on Aave to extract funds, generating approximately $195 million in uncollateralized debt
- Aave Protocol’s TVL plummeted from $26.4 billion to $18.6 billion, causing it to lose its position as DeFi’s largest protocol
- Complete utilization of Aave’s USDT and USDC pools has trapped over $5.1 billion in stablecoins, making withdrawals impossible until liquidity improves
- Major DeFi tokens including AAVE, UNI, and LINK experienced relatively limited price declines despite unprecedented capital flight
A devastating $293 million security breach targeting KelpDAO’s bridge infrastructure last weekend set off one of the most significant capital withdrawals from decentralized finance platforms in recent history, erasing $13.21 billion from the sector’s total value locked in a mere 48-hour period.
The exploit unfolded Saturday when malicious actors successfully extracted 116,500 rsETH tokens — valued at approximately $293 million — from KelpDAO’s LayerZero-integrated bridge system. The attackers subsequently deployed these compromised tokens as collateral on Aave, a prominent DeFi lending protocol, enabling them to borrow wrapped Ether against the fraudulent backing.
Since the stolen rsETH lacked authentic underlying support, the borrowing activity saddled Aave with approximately $195 million in bad debt. The situation parallels depositing worthless assets at a financial institution and securing a legitimate loan against them.
Aave’s total value locked collapsed from approximately $26.4 billion to $18.6 billion by Sunday evening, based on DeFiLlama data. This dramatic contraction stripped Aave of its status as the DeFi ecosystem’s largest protocol by total deposits.
The entire DeFi landscape witnessed TVL shrink from $99.5 billion to $86.3 billion during the same timeframe. Protocols including Euler, Sentora, and Aave recorded double-digit percentage losses, with damage primarily concentrated in lending markets and restaking platforms.
The AAVE token suffered a nearly 20% decline, sliding from $112 on Saturday to roughly $89.50 within 24 hours. This price movement was partially fueled by substantial withdrawals from institutional participants. Blockchain analytics provider Lookonchain tracked MEXC exchange and Abraxas Capital as among the largest exit positions, removing $431 million and $392 million respectively.
Stablecoin Pools Frozen as Utilization Hits 100%
Aave’s USDT and USDC liquidity pools on version 3 have reached maximum 100% utilization rates. This critical threshold means more than $5.1 billion in stablecoins are presently inaccessible and unavailable for withdrawal until fresh liquidity arrives or outstanding loans get repaid. As of this writing, a mere $2,540 remained available for withdrawal from the $2.87 billion USDT pool.
Following the security incident, Aave implemented emergency freezes on rsETH markets across both v3 and v4 deployments. The protocol also suspended WETH reserves throughout Ethereum mainnet, Arbitrum, Base, Mantle, and Linea networks. Aave subsequently verified that rsETH on Ethereum mainnet maintains complete backing through legitimate underlying assets.
Numerous additional protocols have suspended their LayerZero bridge integrations, including Curve Finance, Ethena, and BitGo’s Wrapped Bitcoin offerings.
What Investigators Are Finding
Preliminary investigation by Peter Chung, research director at Presto Research, indicates the vulnerability may have originated within the bridge’s verification infrastructure rather than its core smart contract architecture. His assessment also emphasizes how interconnected DeFi protocols can amplify and transmit risk far beyond the initial breach point.
This event represents the first significant challenge to Aave’s “Umbrella” security framework, deployed in June 2025 to deliver automated safeguards against bad debt scenarios. The timing is particularly notable given Aave’s recent separation from risk management provider Chaos Labs on April 6, stemming from strategic disagreements regarding Aave v4’s development roadmap and budget allocation.
