Key Takeaways
- An attacker exploited KelpDAO’s LayerZero bridge to create 116,500 counterfeit rsETH tokens valued at approximately $292 million
- Using worthless collateral, the exploiter withdrew roughly $190M in ETH from Aave, creating a deficit exceeding 112,000 rsETH
- Aave experienced approximately $9 billion in net withdrawals while overall DeFi total value locked plummeted $13 billion in two days
- Industry leaders formed “DeFi United” to address the crisis, with Lido, EtherFi, and Aave’s creator committing substantial ETH reserves
- A significant portion of stolen assets crossed to Bitcoin through Thorchain, complicating retrieval prospects
On April 18, 2026, a sophisticated attacker identified and leveraged a critical flaw in KelpDAO’s LayerZero bridge architecture, generating 116,500 rsETH tokens without legitimate underlying collateral.
Instead of immediately liquidating these fabricated tokens, the exploiter strategically deposited approximately 90,000 of them into Aave as loan collateral. Using this phantom backing, they successfully withdrew around $190 million in ETH and various digital assets spanning both Ethereum and Arbitrum networks.
The result was catastrophic for Aave: the protocol suddenly held collateral with zero intrinsic value. Alert platform participants recognized the danger and initiated rapid fund withdrawals, creating a scenario reminiscent of traditional banking panics.
Aave’s total value locked plummeted approximately $10 billion in the immediate crisis period. By April 21, net withdrawals reached roughly $9 billion, with overall TVL collapsing from above $17.5 billion to approximately $14.3 billion.
The contagion extended throughout the decentralized finance ecosystem. Combined total value locked across all DeFi lending platforms declined by approximately $13 billion during the 48 hours following public disclosure of the vulnerability.
Arbitrum’s security council responded swiftly, successfully freezing 30,766 ETH—approximately $71 million worth—connected to the malicious activity. Unfortunately, substantial portions of the pilfered funds migrated to Bitcoin via Thorchain, dramatically reducing prospects for complete asset recovery.
Industry Coordination Through DeFi United
Aave alongside its service ecosystem initiated a unified response mechanism dubbed “DeFi United,” concentrating efforts on recapitalizing rsETH reserves and containing bad debt proliferation throughout lending markets.
Lido Finance emerged as the initial major contributor. The Lido Labs Foundation submitted a formal proposal allocating up to 2,500 stETH, valued between $5.7–$6 million, toward a specialized recovery fund. Deployment remains contingent upon securing sufficient total commitments to address the complete deficit.
EtherFi subsequently announced plans to contribute 5,000 ETH toward protecting platform participants and preventing bad debt accumulation. Aave creator Stani Kulechov personally committed an additional 5,000 ETH to the effort.
“Aave is my life’s work and we’re working nonstop to find the best possible outcome for users,” Kulechov posted on X.
Lido’s participation carries strategic motivations. The organization operates an EarnETH vault with direct rsETH exposure, and absent coordinated remediation, vault participant losses could approximate 9,000 ETH.
Protocol Halts rsETH Operations Across Networks
Aave implemented emergency measures to contain additional damage by suspending rsETH reserve operations across Ethereum Core, Arbitrum, Base, Mantle, and Linea networks pending recovery planning completion.
The comprehensive deficit exceeds 112,000 rsETH according to Aave’s official incident documentation. DeFi United’s strategic focus centers not on recovering stolen assets but rather on ecosystem stabilization through new capital infusions.
Aave indicated additional commitments await formal confirmation before public announcement.
