TLDR
- KelpDAO’s bridge suffered a $292–$293 million security breach that caused total value locked in DeFi to plunge by $13.21 billion within 48 hours
- Attackers extracted 116,500 rsETH tokens and deposited them as collateral on Aave to withdraw legitimate funds, generating approximately $195 million in uncollateralized debt
- Total value locked on Aave plummeted from $26.4 billion to $18.6 billion, causing the protocol to surrender its position as DeFi’s largest platform
- Utilization rates on Aave’s USDT and USDC pools reached maximum capacity, effectively freezing more than $5.1 billion worth of stablecoins from withdrawal
- Leading DeFi tokens including AAVE, UNI, and LINK experienced relatively contained price declines given the magnitude of value outflows
A weekend security breach targeting KelpDAO’s bridge infrastructure resulted in $293 million in losses and set off one of the most significant capital flight events decentralized finance has witnessed, eliminating $13.21 billion in total value locked from DeFi platforms within a two-day period.
The exploitation began Saturday when attackers successfully withdrew 116,500 rsETH tokens—valued at approximately $293 million—from KelpDAO’s LayerZero-integrated bridge system. Following the theft, these tokens were deposited as collateral on Aave, a prominent DeFi lending protocol, allowing the attackers to extract wrapped Ether.
The stolen rsETH tokens carried no actual underlying value, which meant the borrowing activity created approximately $195 million in unbacked debt on Aave. The situation resembles depositing fraudulent collateral at a financial institution while withdrawing genuine assets against it.
Aave’s total value locked contracted from approximately $26.4 billion to $18.6 billion by Sunday, based on data from DeFiLlama. This reduction caused Aave to lose its ranking as the highest-capitalized DeFi protocol.
The broader DeFi ecosystem experienced TVL contraction from $99.5 billion to $86.3 billion during this timeframe. Platforms including Euler, Sentora, and Aave recorded substantial percentage declines, with lending and restaking protocols bearing the heaviest concentration of losses.
The AAVE token declined close to 20%, sliding from $112 on Saturday to approximately $89.50 within 24 hours. This movement coincided with significant withdrawal activity from institutional participants. Blockchain analytics platform Lookonchain tracked MEXC exchange and Abraxas Capital as two major entities withdrawing funds, removing $431 million and $392 million respectively.
Stablecoin Pools Frozen as Utilization Hits 100%
Aave’s USDT and USDC pools on version 3 have reached complete utilization. More than $5.1 billion in stablecoins remain inaccessible for withdrawal until fresh liquidity arrives or current borrowers settle their positions. During the most recent check, merely $2,540 remained available for withdrawal from the $2.87 billion USDT pool.
Following the attack, Aave implemented freezes on rsETH markets across both v3 and v4 versions. WETH reserves were similarly frozen across Ethereum, Arbitrum, Base, Mantle, and Linea networks. Aave subsequently verified that rsETH on Ethereum mainnet maintains full backing through underlying assets.
Multiple additional protocols suspended their LayerZero bridge operations, including Curve Finance, Ethena, and BitGo’s Wrapped Bitcoin service.
What Investigators Are Finding
Preliminary investigation conducted by Peter Chung, head of research at Presto Research, indicates the vulnerability may have originated in the bridge’s verification infrastructure rather than within its smart contract code. His analysis highlighted how interconnected DeFi protocols can amplify and distribute risk far beyond the initial compromise point.
This episode represents the inaugural major challenge to Aave’s “Umbrella” security framework, launched in June 2025 to deliver automated safeguards against bad debt scenarios. The timing follows Aave’s separation from risk service provider Chaos Labs on April 6, merely two weeks prior, stemming from disputes regarding Aave v4’s strategic direction and resource allocation.
