The $292M Kelp DAO rsETH hack triggered a major Aave liquidity crisis, freezing markets and blocking withdrawals. Here’s what really happened. | Credit: CCN.com
Share
Key Takeaways
The entire exploit hinged on a 1-of-1 verifier setup, proving that weak configuration can undermine otherwise robust protocols.
Even when blockchains are secure, cross-chain layers introduce attack surfaces that can cascade across ecosystems.
Aave didn’t collapse due to a bug, but it froze due to lack of liquidity, showing that market dynamics can be as dangerous as exploits.
Because DeFi protocols are interconnected, one exploit can impact multiple platforms, even those not directly exposed.
On April 18, 2026, a single exploit sent shockwaves across decentralized finance. What initially looked like an isolated bridge incident quickly spiraled into a full-blown liquidity crisis on Aave, one of DeFi’s largest lending protocols.
Within hours, billions in liquidity vanished, markets froze, and users found themselves unable to withdraw funds. Across Crypto Twitter, a clear realization began to take hold: this was not just another hack, but a systemic stress test for DeFi.
Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate.
They deployed malicious binaries to manipulate transaction data.
A coordinated DDoS attack forced fallback to compromised infrastructure.
The system accepted forged cross-chain messages.
Result: 116,500 rsETH minted without any backing.
From the outside, everything looked legitimate. On-chain, the transactions were “valid.”
But underneath, the verification layer had been compromised. And that made all the difference.
LayerZero Bridge Security Risks: Was This a Decentralization Failure?
As details emerged, a bigger debate started to take shape, one that goes beyond this single exploit. Some analysts argue the issue wasn’t just misconfiguration, but structural centralization.
Key concerns raised:
Many LayerZero integrations rely on very few verifier nodes (DVNs).
In some cases, just one or two nodes validate transactions.
These nodes are often operated by centralized entities.
But in practice, it behaves more like a trusted middleware layer.
The takeaway here isn’t black and white, but it raises an important question: If one node can break the system, how decentralized is it really?
Did Poor Security Configuration Cause the rsETH Exploit?
Beyond architecture, another critical factor appears to be configuration choices.
Many bridge systems, including LayerZero, offer strong security features. But those features often come with trade-offs.
Common trade-offs teams face:
Multi-verifier setups vs faster deployment
Redundancy vs lower operational complexity
Higher costs vs scalability
Aave updated on rsETH incident. | Credit: Aave X profile
In this case, Kelp DAO used a 1-of-1 DVN configuration. That meant:
No redundancy
No independent verification
No fail-safe
Some experts suggest this may reflect a broader pattern, as teams are often encouraged to prioritize ease of use, and advanced security features are optional and sometimes skipped.
That creates a dangerous dynamic as the safest system isn’t always the one that gets deployed.
How Hackers Used Fake rsETH to Borrow $236M from Aave
Once the attacker had unbacked rsETH, the next step was straightforward, and devastating.
Extracted real liquidity using worthless collateral.
At this point, the exploit crossed a critical boundary:
It moved from a bridge failure
Into a lending protocol crisis
Aave had unknowingly become the attacker’s exit liquidity.
Why Aave Froze rsETH and WETH Markets (And Triggered Panic)
Aave confirmed that its core protocol was not directly compromised in the incident, emphasizing that the issue originated from the rsETH asset itself following the KelpDAO bridge exploit. As a precautionary measure, the platform has frozen rsETH markets across both V3 and V4, preventing new deposits and borrowing activity tied to the asset.
The rsETH markets on Aave V3 and Aave V4 have been frozen. Aave's contracts have not been exploited and this is an exploit related to rsETH.
The freeze follows an exploit of the Kelp DAO rsETH bridge. Freezing the rsETH markets prevents new deposits and borrowing against rsETH…
The protocol also halted WETH reserves across multiple networks, including Ethereum, Arbitrum, Base, Mantle, and Linea, to limit further exposure. Aave stated that rsETH on Ethereum mainnet remains fully backed, but noted that it is continuing to analyze post-exploit borrowing activity and assess potential risks. The team added that if bad debt emerges, it will explore mechanisms to cover the deficit.
But these actions had a side effect. First of all, users interpreted the freeze as a systemic risk signal; confidence dropped sharply; and withdrawals accelerated.
In DeFi, perception drives behavior and behavior drives liquidity.
Aave Liquidity Crisis Explained: Why $6 Billion Left in 24 Hours
Once panic started, large players moved quickly. What followed was a classic liquidity run:
Whales and institutions withdrew billions..
Major players like Justin Sun and exchanges exited early.
Bots competed to withdraw any new liquidity instantly.
It wasn’t just a withdrawal wave: it was a race.
Liquidity Crisis Pushes Aave Markets to the Brink
Crypto commentator Duo Nine argues that the situation on Aave is far more severe than many realize, framing it primarily as a liquidity collapse rather than a technical failure. According to his analysis, the rsETH exploit triggered a rapid withdrawal wave led by large players, which drained billions from the protocol and pushed core markets like ETH, USDT, and USDC to 100% utilization.
🚨 I don't think people realize how bad things are at @aave right now.
All core markets are at 100% utilization, that includes $3 bil in USDT and $2 bil in USDC stuck!
In this state, users are effectively unable to withdraw funds because all available liquidity has already been borrowed. He warns that this creates a dangerous feedback loop: as liquidity disappears, liquidations become harder to execute, increasing the risk of additional bad debt over time. Duo Nine also highlights that while some ETH users may still exit at a loss via secondary markets, stablecoin depositors are largely stuck, with limited options.
Beyond the immediate liquidity crunch, he raises broader concerns about risk management and governance, suggesting that onboarding rsETH at scale may have exposed the protocol to outsized risk. In his view, the combination of locked funds, rising bad debt, and shaken confidence points to a system under significant stress, with uncertainty around how losses will ultimately be absorbed.
What 100% Utilization on Aave Means And Why Withdrawals Failed
As liquidity disappeared, Aave markets hit a critical limit: 100% utilization.
This wasn’t a clean exit but looked more like a damage control.
DeFi Contagion Explained: How Aave’s Crisis Spread Across Protocols
Aave isn’t isolated; it’s deeply embedded in DeFi. When it froze, the effects spread quickly. Why contagion happens:
Many protocols rely on Aave for yield, collateral, and liquidity.
The result:
Dependent protocols experienced disruptions
Users across ecosystems were affected
Liquidity fragmentation increased
This is the hidden risk of composability: Systems that work together can fail together.
Who Will Cover Aave’s $200M+ Bad Debt?
At the heart of the crisis lies an uncomfortable but unavoidable question: who ultimately absorbs the losses?
The numbers are already significant. Current estimates place the damage between $177 million and $236 million in bad debt, largely concentrated in Aave’s WETH markets. But unlike traditional finance, there is no central authority stepping in to make users whole. In DeFi, losses don’t vanish: they are redistributed across the system.
There are a few potential backstops, though none are sufficient on their own.
First, Aave’s Safety Module (Umbrella Vault) acts as the protocol’s primary insurance layer. It currently holds around $50 million, which can be slashed to cover part of the deficit. However, that only accounts for a fraction of the total losses.
Next is the Aave DAO Treasury, which controls roughly $83.5 million in liquid assets, including stablecoins and AAVE tokens. While this provides additional coverage, deploying treasury funds is a governance decision, and not without trade-offs for the protocol’s long-term sustainability.
That leaves the final layer: users and stakers. If the remaining gap isn’t fully covered by the Safety Module and treasury, losses may be socialized, meaning participants in the system, particularly WETH suppliers and stakers, could face a “haircut.”
It’s a stark reminder of how DeFi works under stress. There are no bailouts, no guarantees, just a hierarchy of risk. And when things go wrong, the cost doesn’t disappear. It simply moves.
Aave Governance and rsETH Listing: What Went Wrong
The incident has also raised governance concerns. Key questions remaining:
Whether proven or not, this highlights a broader issue: Decentralization doesn’t guarantee good decision-making.
Despite the severity, a total collapse appears unlikely. Supporting factors:
$27 billion total TVL
Losses represent a small percentage
Safety mechanisms are active
Damage is partially contained
But challenges remain:
Trust has been shaken
Liquidity has thinned
Recovery could take months
This is less a collapse and more a stress fracture.
David Schwartz Raises Concerns Over Security Trade-Offs
Ripple’s ex-CTO, David Schwartz, pointed to a deeper issue in how cross-chain systems are implemented in practice. Reflecting on his own evaluations of bridging infrastructure, he noted that many platforms are designed with strong security protections but often position those features as optional.
Risks of DeFi. | Credit: David Schwartz X profile
According to Schwartz, teams are frequently encouraged to prioritize ease of deployment and scalability, even when that means avoiding more complex security configurations. He suggested that this trade-off between convenience and robustness may leave systems more exposed than they appear on the surface.
His remarks add weight to the idea that the rsETH incident may not just be about a sophisticated attack, but also about how real-world deployment decisions can weaken otherwise secure architectures.
Key Lessons from the Kelp DAO and Aave Crisis
The events surrounding the KelpDAO exploit and its impact on Aave highlight deeper structural issues within DeFi that go beyond a single incident. What unfolded was not just a technical failure, but a convergence of risks across infrastructure, collateral design, and market behavior. These developments offer important insights into how vulnerabilities can emerge and propagate in highly interconnected systems.
April alone accounts for some of the largest breaches, led by KelpDAO ($290M) and Drift Protocol ($285M), while earlier months saw repeated incidents across bridges, wallets, and lending platforms. From a $284M loss tied to a Trezor-related incident in January to mid-sized exploits across March and February, the distribution shows that vulnerabilities are not isolated to one type of protocol.
What stands out is not just the total value lost, but the consistency of these events. Attacks are no longer rare shocks; they are becoming a recurring feature of the ecosystem, reinforcing concerns that infrastructure risks, not just smart contracts, are now the primary battleground in DeFi security.
At its core, the Kelp DAO incident was not a traditional smart contract exploit, but a highly sophisticated attack on the infrastructure that verifies cross-chain transactions. Attackers managed to compromise the verification layer used by LayerZero’s Decentralized Verifier Network (DVN), allowing them to forge messages that appeared legitimate on-chain. As a result, they were able to mint approximately 116,500 rsETH tokens without any real backing. These tokens looked valid to downstream protocols, which is what made the attack so effective, and so dangerous.
How did this exploit affect Aave?
The real damage began when the attacker used the fake rsETH as collateral on Aave. Because Aave recognized rsETH as a valid asset, it allowed the attacker to borrow around $236 million worth of WETH. This effectively turned worthless, unbacked tokens into real, liquid value. Once Aave detected the issue, it froze rsETH and WETH markets to prevent further damage, but that action also triggered panic among users, leading to massive withdrawals and a sharp drop in liquidity.
Why were users unable to withdraw their funds from Aave?
The inability to withdraw funds wasn’t due to a direct hack of user balances, but rather a liquidity crunch. As large users rushed to exit the protocol, available liquidity in key markets was rapidly drained. This pushed Aave into a state of 100% utilization, meaning all deposited funds were already lent out. With no liquidity left in the pool, withdrawals became impossible, effectively locking user funds inside the protocol.
Was LayerZero itself hacked?
LayerZero has stated that its core protocol was not directly exploited. Instead, the issue arose from compromised off-chain infrastructure , specifically the RPC nodes used by its DVN, combined with a weak configuration on Kelp DAO’s side. However, the incident has sparked broader debate about whether the system is as decentralized as it claims to be, especially given the reliance on a small number of verifier nodes.
Disclaimer:
The information provided in this article is for informational purposes only. It is not intended to be, nor should it be construed as, financial advice. We do not make any warranties regarding the completeness, reliability, or accuracy of this information. All investments involve risk, and past performance does not guarantee future results. We recommend consulting a financial advisor before making any investment decisions.
Giuseppe Ciccomascolo began his career as an investigative journalist in Italy, where he contributed to both local and national newspapers, focusing on various financial sectors.
Upon relocating to London, he worked as an analyst for Fitch's CapitalStructure and later as a Senior Reporter for Alliance News. In 2017, Giuseppe transitioned to covering cryptocurrency-related news, producing documentaries and articles on Bitcoin and other emerging digital currencies. He also played a pivotal role in establishing the academy for a cryptocurrency exchange website. Crypto remained his primary area of interest throughout his tenure as a writer for ThirdFloor.
Easy 
