Hackers Exploit Kelp DAO LayerZero Bridge, Trigger $8 Billion Aave TVL Plunge

Aave’s total value locked (TVL) plunged after hackers exploited Kelp DAO’s LayerZero-powered bridge and used stolen rsETH as collateral to borrow on Aave, triggering withdrawals and market freezes across interconnected DeFi lending.

“Bitget App Trade smarter Open [](https://www”

Bitget

Cointelegraph said Aave’s TVL dropped by nearly $8 billion over the weekend, falling from about $26.4 billion to $18.6 billion by Sunday, and that the incident left roughly $195 million in “bad debt” on the protocol.

blockchain.news

Coinpaper similarly reported that Aave’s TVL declined from approximately $26.4 billion to $18.6 billion by Sunday, “wiping out close to $8 billion in locked assets,” after the $293 million Kelp DAO exploit.

CoinDesk put the broader impact in larger terms, saying deposits exited Aave by $8.45 billion over 48 hours and that total value locked across decentralized finance slid by $13.21 billion.

Multiple outlets tied the chain reaction to the same core mechanics: hackers stole 116,500 rsETH tokens worth about $293 million and then borrowed wrapped Ether (wETH) on Aave v3.

Cointelegraph and TradingView both said the borrowing activity left Aave exposed to roughly $195 million in “bad debt,” while Coinpaper described the collateral compromise as leaving Aave with an estimated $195 million in bad debt.

In parallel, stablecoin lending pools on Aave v3 reached 100% utilization, with Cointelegraph saying that “more than $5.1 billion worth of stablecoins cannot be withdrawn until new liquidity arrives or borrows are repaid,” and Coinpaper adding that “more than $5.1 billion in stablecoins became temporarily unavailable for withdrawal.”

The collapse began with a Kelp DAO exploit that security reporting framed as a bridge-level failure, not a direct Aave compromise.

Cointelegraph said the incident began on Saturday when hackers stole “116,500 Kelp DAO Restaked ETH (rsETH) tokens worth about $293 million from Kelp DAO’s LayerZero-powered bridge” and used them as collateral on Aave v3 to borrow wrapped Ether (wETH).

bloomingbit

Coinpaper described the same sequence, saying “Hackers reportedly used stolen rsETH tokens as collateral on Aave v3 to borrow wETH,” leaving Aave exposed to “roughly $195 million in bad debt.”

DL News added more detail about Kelp DAO’s own framing, reporting that Kelp DAO wrote on X that it had “identified suspicious cross-chain activity involving rsETH” and that it had paused rsETH contracts while it investigated with security experts.

DL News also quoted Aave’s official position from its account, saying “Aave’s contracts have not been exploited and this is an exploit related to rsETH,” and it attributed confirmation to security firm Cyvers.

EGW.News provided a more granular timeline and mechanism, stating the attack occurred at “17:35 UTC via a forged cross-chain message in LayerZero (the lzReceive function)” and describing the attacker crafting a false instruction that allowed the Kelp DAO OFT adapter to mint “116,500 rsETH.”

That same outlet said the attacker “instantly deposited the stolen tokens into Aave (as well as into Compound V3 and Euler)” and borrowed “over $236 million worth of WETH/ETH,” which it said triggered the chain reaction.

After the exploit, Aave responded by freezing markets tied to rsETH and by pausing WETH reserves across multiple networks, while the stablecoin pools hit utilization ceilings that constrained withdrawals.

“Summary - Aave’s total value locked, or TVL, plunged by about $8 billion, highlighting liquidity risks across DeFi”

bloomingbit

Cointelegraph reported that “Aave has frozen several rsETH, wETH markets,” saying it froze the rsETH markets on both Aave v3 and v4 “to prevent any suspicious borrowing” and later stated that “rsETH on Ethereum mainnet remains fully backed by underlying assets.”

It added that “WETH reserves also remain frozen on Ethereum, Arbitrum, Base, Mantle and Linea,” and Coinpaper echoed the same precautionary steps, saying Aave froze rsETH markets on both v3 and v4 and that “WETH reserves also remain frozen across affected markets including Ethereum, Arbitrum, Base, Mantle and Linea.”

Cointelegraph and Coinpaper both tied the liquidity crunch to stablecoin pool utilization, with Cointelegraph saying Aave v3’s lending pools for USDt (USDT) and USDC (USDC) are now at 100% utilization and that “more than $5.1 billion worth of stablecoins cannot be withdrawn until new liquidity arrives or borrows are repaid.”

Coinpaper added a specific withdrawal constraint, reporting that “At one point, only $2,540 remained withdrawable from Aave’s $2.87 billion USDT pool.”

As withdrawals accelerated, token prices moved in ways that different outlets framed as limited relative to deposits, with CoinDesk saying the AAVE token was down about 2.5% over 24 hours while UNI and LINK were down less than 1%.

Other outlets emphasized sharper declines, with Cointelegraph saying the Aave (AAVE) token tanked nearly 20% from $112 on Saturday at 6:00 pm UTC to $89.5 about 25 hours later, and Coinpaper reporting it fell by almost 20% “from $112 on Saturday evening to around $89.50 the following day.”

While the underlying event was consistent—Kelp DAO’s rsETH bridge exploit cascading into Aave liquidity constraints—outlets diverged in how they framed systemic risk, causality, and what the incident meant for DeFi security.

CoinDesk emphasized a “$13.21 billion slide in total value locked” across DeFi and argued that token prices “have moved less sharply than deposits,” citing its own market data that AAVE was “down about 2.5% over 24 hours” while UNI and LINK were “down less than 1%.”

Coinpaper

Cointelegraph, by contrast, stressed the speed of contagion, saying “Aave’s TVL fall shows how rapidly risk from a single security incident can spread throughout the broader, interconnected DeFi lending market,” and it described the incident as a “first significant stress test” of Aave’s “Umbrella” security model introduced in June 2025.

Cointelegraph also reported that Aave defended its liquidation-based model in comments to Cointelegraph, framing it as “a core safety mechanism that protects lenders while limiting downside for borrowers,” and it noted Aave parted ways with Chaos Labs on April 6.

TradingView largely mirrored Cointelegraph’s mechanics, repeating that the incident began when hackers stole 116,500 rsETH worth about $293 million and used them as collateral to borrow wETH, but it added a specific market-data framing that Aave’s TVL “lost the top spot as the largest DeFi protocol.”

Blockchain.news leaned into a “bank run” narrative, stating “Aave just lost its crown as DeFi's largest protocol” and highlighting that “exactly $2,540 was available for withdrawal at one point,” while also asserting that the rsETH collateral became “essentially worthless for recovery purposes.”

Bitget’s piece introduced a different voice by quoting Francesco Andreoli’s explanation that the attackers “used Aave to borrow regular funds, creating ‘massive bad debt,’” and it described “$6.2 billion in net withdrawals from Aave” as users rushed to exit positions.

The immediate consequence of the Kelp DAO exploit was a freeze-and-wait posture: Aave’s stablecoin pools were at 100% utilization, and withdrawals depended on new liquidity or loan repayments, while other protocols paused bridge-related activity.

“Its TVL fell from $26”

Coinpaper

Cointelegraph said stablecoin pools for USDt and USDC were at 100% utilization and that “more than $5.1 billion worth of stablecoins cannot be withdrawn until new liquidity arrives or borrows are repaid,” and it added that several networks and protocols tied to rsETH or the LayerZero bridge have paused use of the bridge until the problem is resolved.

Cointelegraph

It named Curve Finance, Ethena, and BitGo’s Wrapped Bitcoin (WBTC) as among those pausing activity, and it reported that Aave froze rsETH markets on both v3 and v4 and that WETH reserves remained frozen on Ethereum, Arbitrum, Base, Mantle and Linea.

Coinpaper similarly said Aave froze rsETH and wETH markets and that “Several crypto networks and protocols connected to rsETH or LayerZero also paused activity,” while CoinDesk described protocols responding by freezing affected markets and “panicked users withdrew funds.”

Beyond Aave, DL News said Kelp DAO paused rsETH contracts while it investigated, and it reported that Cyvers confirmed the hack and said funds had been swapped back to Ethereum and Arbitrum.

Looking at the longer arc, Cointelegraph said the incident “marks the first significant stress test” of Aave’s “Umbrella” security model introduced in June 2025, and it referenced a Bank of Canada finding earlier this month that Aave avoided bad debt in its v3 market by using “overcollateralization, automated liquidations and other strategies.”

Meanwhile, EGW.News said Kelp DAO suspended the contracts and that “two additional attempts by the hacker (for about $200 million) were blocked successfully,” while also stating that “Asset recovery currently seems unlikely.”