KelpDAO rsETH Exploit Triggers $9 Billion Aave Bank Run as DeFi TVL Drops $13 Billion in 48 Hours

• A $292 million exploit of KelpDAO’s rsETH bridge triggered a major DeFi liquidity crisis, draining $8.45 billion from Aave and locking roughly $5 billion in user deposits.
• The attack exploited a single point of failure in LayerZero’s verification system, allowing the minting of unbacked rsETH used as collateral to borrow and remove up to $236 million in assets.
• The fallout led to a $13.21 billion drop in DeFi total value locked within 48 hours, as whales exited positions and emergency recovery measures were deployed across protocols.

A $292 million exploit of KelpDAO’s rsETH bridge on April 18 has triggered the largest DeFi liquidity crisis of 2026. It drained $8.45 billion from Aave, one of DeFi’s largest lending protocols, in under 48 hours, freezing approximately $5 billion in USDT and USDC deposits, and pulling $13.21 billion in total value locked (TVL) from the broader DeFi ecosystem.

rsETH is a liquid restaking token (LRT), a yield-bearing derivative of Ether (ETH) that represents restaked positions on the EigenLayer protocol. At 17:35 UTC on April 18, an attacker exploited Kelp’s LayerZero V2 bridge on the Unichain-to-Ethereum route, which was configured as a 1-of-1 DVN. Meaning, a single verifier node was the only checkpoint required to authenticate cross-chain messages, according to the official Aave incident report published April 20.

A DVN (Decentralised Verifier Node) is the off-chain entity responsible for validating cross-chain messages in LayerZero’s infrastructure. A single-verifier setup means one compromised node is sufficient to authorise a fraudulent transfer. The attacker exploited this configuration to release 116,500 rsETH, which is roughly 18% of the token’s circulating supply, without any corresponding assets being locked on the source chain.

ALSO READ: Drift Secures $148M from Tether to Recover User Funds and Relaunch on USDT After $285M Exploit

The fake, unbacked tokens were immediately deposited into Aave V3 and V4 as collateral, and approximately $190–$236 million in wrapped Ether (WETH) was borrowed against them and removed from the protocol, according to Aave’s incident report. Aave’s contracts were not compromised. The Guardian froze all rsETH and wrsETH markets at 18:52 UTC.

Curve Finance founder Michael Egorov shared this take on this matter in a post in X. He said:

“All issues like this should be prevented BEFORE they happen, not AFTER. Number of single points of failure should be reduced, not increased. When these points of failure are unavoidable – trust should be split. If there’s a reliance on infrastructure – we should share best practices how to configure it. Not to mention that code should be very well checked – everyone gets that already.”

As news of the bad debt spread, a classic bank-run dynamic followed. Whales, including wallets linked to MEXC exchange, rapidly exited. A wallet identified by onchain analysts as the HTX Recovery address, linked to Justin Sun, withdrew $274 million in USDT from Aave between 19:12 and 19:17 UTC, just 21 minutes after the rsETH market freeze.

Sun has not commented. Aave’s WETH, USDT, and USDC pools all reached 100% utilisation, the point at which no withdrawals are possible, leaving roughly $5 billion in deposits effectively locked. CertiK researchers described the situation as “serious trouble.”

Aave now faces bad debt of between $123 million and $230 million, depending on how Kelp DAO allocates the shortfall across its rsETH holders, whether losses are spread across all rsETH or confined to L2 deployments, according to Aave’s April 20 incident report.

A coalition of DeFi protocols built an emergency escape hatch in under 24 hours. The infrastructure, built by Fluid, 1inch, and collaborators, allows Aave WETH lenders to convert their locked aWETH into wstETH or weETH collateral in a single transaction, at a discount of approximately 2.21%, compared to early secondary-market exits that cleared near 23% below par. Mantle confirmed full network security and is coordinating a recovery plan with Aave, including potential treasury participation, according to Mantle’s official statement.

The KelpDAO exploit is now 2026’s largest DeFi hack, narrowly surpassing Drift Protocol’s $285 million April 1 incident. Combined, more than $577 million has been drained from Solana and Ethereum DeFi in under three weeks.

Editorial Note: This news article has been written with assistance from AI. Edited & fact-checked by the Editorial Team.

Interested in advertising with CIM? Talk to us!