$292 Million KelpDAO Exploit Triggers $8.45 Billion Aave Deposit Run, Followed By $300 Million Bailout

A $292 million exploit of KelpDAO’s LayerZero bridge in April 2026 triggered an $8.45 billion, 48-hour deposit run on Aave, exposing what CoinDesk described as vulnerabilities to bank-run-style stress.

“Aave chief defends protocol's 'resilience' after $8”

@coindesk

CoinDesk said Aave survived the crisis only after a chaotic, human-led $300 million emergency bailout, including 25,000 ETH from the Aave DAO and 5,000 ETH from founder Stani Kulechov.

@coindesk

At the Proof of Talk event in Paris last week, Stani Kulechov defended Aave’s “resilience,” telling CoinDesk that "Aave's existing V3 infrastructure has seen multiple market cycles,".

CoinDesk also said the April crisis peaked when the $292 million exploit began with an RPC-spoofing and DDoS attack targeting LayerZero’s verifier nodes on KelpDAO rather than a bug in Aave's code.

CoinDesk reported that Stani Kulechov blamed “third-party” entities for decentralized finance’s vulnerabilities, while independent data highlighted gaps in Aave’s own risk architecture.

CoinDesk quoted Kulechov arguing, "They are actually third-party dependencies that are related to more traditional security that might have an impact across the DeFi space, as we've seen recently."

@coindesk

CoinDesk said risk modeling firm LlamaRisk later revealed that the hackers used the exploit to mint worthless collateral, deposit it into Aave, and drain authentic wrapped Ether (wETH), leaving Aave V3 saddled with an estimated $123.7 million in bad debt.

CoinDesk also said banking analysts at the Bank Policy Institute pointed out that Aave's inadequate insurance exposed how DeFi platforms are vulnerable to bank runs in detriment of their users.

In response to the April crisis, CoinDesk said Aave is planning a V4 upgrade to replace pooled token design with a modular hub-and-spoke system intended to localize risk, impose targeted premiums and freeze specific collateral lines.

“The head of the Belgian banking sector federation stands firm: the protocol recently sealed with the government on cash access is beneficial to consumers”

Le Soir

CoinDesk reported that Kulechov conceded the architectural threat of contagion requires a complete overhaul, and he said the new system would enable the core protocol to autonomously levy localized risk premiums and freeze specific collateral lines.

CoinDesk quoted Kulechov concluding, "I think that is the key to building resilient software," as he tied the redesign to an auditable and public system for risk analysis.

CoinDesk framed the stakes as whether institutional allocators will continue to overlook these multi-billion dollar “stress tests” while waiting for V4 to launch.