Where Did Aave’s $15B Go? KelpDAO Exploit Sends Billions Into Safer DeFi Bets

Key Takeaways

Attackers exploited a bridge flaw to mint fake rsETH worth $293 million and used it as collateral on Aave, creating major bad debt.
The incident triggered panic withdrawals, with Aave losing $15.1 billion in deposits in just days.
Users shifted funds to perceived safer platforms like SparkLend, which gained over $1.3 billion.

It didn’t take weeks. It took days.

Earlier this week, on April 18, Aave—one of the largest and most trusted lending platforms in decentralized finance—lost $15.1 billion in deposits in just 3.5 days.

Total deposits fell from $48.5 billion to $30.7 billion, wiping out roughly a third of the platform’s capital almost overnight.

Some of that money didn’t leave DeFi altogether. It moved—quickly—into platforms perceived as safer, including SparkLend, which absorbed about $1.3 billion during the same period.

This wasn’t a random sell-off. It was a reaction to a single exploit that exposed a deeper issue: how fragile DeFi systems can become when collateral assumptions break down.

The rsETH Exploit That Triggered Chain Reaction on Aave

The crisis traces back to April 18, when attackers targeted KelpDAO’s LayerZero bridge.

By exploiting a flaw, they minted roughly 116,500 rsETH tokens—valued at about $293 million—without any real ETH backing.

These tokens appeared legitimate at first glance, and that was enough.

The attacker quickly deposited the unbacked rsETH as collateral on Aave’s V3 and V4 markets across Ethereum and Arbitrum.

Aave’s pricing systems initially treated the tokens as valid, allowing the attacker to borrow between $190 million and $236 million in WETH and wstETH.

By the time the rsETH was identified as worthless, the damage was done.

Aave was left holding substantial bad debt, with estimates ranging from about $123 million—if losses are spread across all rsETH holders—to as much as $230 million if concentrated in certain markets.

Importantly, Aave’s core smart contracts were not exploited. The vulnerability came from accepting rsETH as reliable collateral in the first place.

A Bank Run in DeFi Form

The technical details mattered less to users than the headline risk: bad debt inside a major protocol.

As news spread, depositors moved fast. Within hours, users began withdrawing funds to avoid potential exposure.

Key lending pools, particularly WETH markets, hit 100% utilization, effectively locking withdrawals for some users.

That’s when the situation escalated.

Over the next 48 hours, billions left the platform. By the end of the three-and-a-half-day window, Aave had lost $15.1 billion in deposits.

Aave outflow. — Aave Sees $15.1 Billion Outflow. Credit: Aave.

The AAVE token also took a hit, dropping around 15%–20% during the turmoil.

The impact wasn’t isolated. Morpho saw roughly $1.5 billion in outflows, and even protocols with no direct exposure felt the pressure as confidence across DeFi weakened.

What unfolded looked less like a technical glitch and more like a classic bank run—except this time, it played out on-chain.

Why Bridges and Collateral Keep Breaking

The rsETH incident fits into a broader pattern.

Cross-chain bridges remain one of the most vulnerable parts of the DeFi stack.

They are complex, rely on multiple layers of infrastructure, and often introduce hidden points of failure.

Liquid restaking tokens like rsETH add another layer of risk.

They offer yield, but depend on a combination of bridges, oracles, and staking systems—all of which must function correctly at the same time.

When one piece fails, the effects don’t stay contained.

Earlier in 2026, other exploits—such as the Drift incident on Solana and attacks on smaller lending platforms—had already drained hundreds of millions.

Each new incident reinforces the same lesson: interconnected systems amplify risk.

In this case, a bridge exploit quickly turned into a collateral crisis, then into a liquidity event affecting multiple protocols.

Capital Doesn’t Leave—It Rotates

While Aave was losing deposits, other platforms were gaining them.

SparkLend emerged as one of the main beneficiaries, with its total value locked rising from $1.9 billion to $3.2 billion. That shift wasn’t accidental.

Spark had already removed rsETH from its system months earlier after identifying potential risks.

Its design emphasizes tighter controls, including supply caps, isolated markets, and more conservative collateral parameters.

That approach limited its exposure—and made it a destination when users started looking for safer ground.

The movement highlights a key dynamic in DeFi: capital is highly mobile. It doesn’t disappear in a crisis; it reallocates.

A Stress Test for DeFi’s Next Phase

The scale and speed of Aave’s outflow underline how quickly trust can erode—and how difficult it is to restore once shaken.

For users, the takeaway is straightforward. High yields come with layered risks, especially when collateral depends on complex, cross-chain systems.

Diversification, closer scrutiny of collateral types, and awareness of bridge exposure are no longer optional.

For protocols, the pressure is mounting to improve.

Better risk frameworks, clearer collateral standards, and more robust insurance mechanisms are becoming essential.

Without them, even relatively small exploits can cascade into system-wide events.

The $15.1 billion exit from Aave is more than a one-off shock. It’s a reminder of how interconnected DeFi has become—and how quickly those connections can transmit stress.

DeFi isn’t disappearing. But it is being tested.

And the protocols that emerge stronger will likely be the ones that prioritize resilience over rapid growth.