In two days the total value locked (TVL) at leading crypto-lending service Aave plunged from $26.3bn to $17.7bn, according to DefiLlama.
The AAVE token fell by more than 15% to $91. Its market capitalisation slid from $1.8bn to $1.3bn.
In Aave v3, pools for USDT and USDC are fully exhausted. Assets worth $5.1bn are frozen; they can be withdrawn only once fresh liquidity arrives or loans are repaid.
The Kelp hack and its fallout
The plunge in Aave’s metrics was triggered by a hack of the Kelp liquid restaking protocol. On April 18 attackers siphoned 116,500 rsETH worth $293m from Kelp DAO’s LayerZero-based cross-chain bridge.
The thieves deposited the stolen tokens into Aave v3 as collateral and borrowed wETH against them. On the platform they took out about $196m; their total positions across Aave, Compound and Euler reached roughly $236m.
According to Lookonchain, the operation left the project with a balance-sheet “hole” of around $195m — funds that are already irrecoverable.
Due to the KelpDAO exploiter borrowing over 82,600 $ETH ($195M) from #Aave using $RSETH as collateral, bad debt has appeared on #Aave.
Many whales have withdrawn funds from #Aave, causing its TVL to drop from $26.396B to $20.114B — a decline of $6.28B.
Major withdrawals… pic.twitter.com/rhN28AMul9
— Lookonchain (@lookonchain) April 19, 2026
Curve Finance founder Mikhail Egorov also noted that Aave and other protocols now hold hundreds of millions of dollars in dubious collateral and bad debt.
“Aave has rsETH that cannot be sold, and it has no ETH because it is all lent out. No one can withdraw Ethereum,” he added.
At first the team said the Umbrella reserve fund would cover any deficit. It later softened this to “exploring avenues for compensation”.
The rsETH markets on Aave V3 and Aave V4 have been frozen. Aave’s contracts have not been exploited and this is an exploit related to rsETH.
The freeze follows an exploit of the Kelp DAO rsETH bridge. Freezing the rsETH markets prevents new deposits and borrowing against rsETH…
— Aave (@aave) April 18, 2026
The rsETH markets in v3 and v4 are frozen to prevent suspicious activity. wETH reserves are locked on Ethereum, Arbitrum, Base, Mantle and Linea.
Pending clarification, several projects suspended use of the Kelp DAO bridge: Curve Finance, Ethena, and other networks and protocols that work with rsETH or LayerZero.
Outflows also hit Solana. Journalist Colin Wu noted that on several USDC markets in Kamino — the network’s leading lending protocol — deposit rates and utilisation ratios spiked.
The USDC reserve in the $178m Prime Market is fully exhausted — there are no free funds — and utilisation in several other vaults exceeded 95%.
TVL across DeFi as a whole fell from $99.4bn to $85.8bn.
LayerZero’s investigation
Kelp DAO is still determining the root cause. Meanwhile, LayerZero developers shared early findings from their internal probe.
— LayerZero (@LayerZero_Core) April 20, 2026
They said North Korean hackers were behind the attack — in particular the TraderTraitor group, implicated in the hacks of Ronin ($625m), Bybit ($1.5bn) and Drift Protocol ($280m).
LayerZero explained that the attackers gained access to a list of RPC servers used by LayerZero Labs’ decentralised verifying network (DVN). They then “poisoned” two of them, causing a fake cross-chain message to be delivered into the DVN.
The attackers also launched a DDoS attack on the clean servers so the network would rely on the poisoned ones.
Kelp used a single, non-redundant scheme, so the false request passed and the bridge unlocked the tokens.
“Exploiting a single point of failure meant that an independent verifier could not intercept and reject the forgery. LayerZero and other external parties had previously informed the project about best practices for DVN diversification. Despite these recommendations, Kelp opted for a 1/1 DVN scheme,” the experts noted.
They stressed that the contamination did not affect other assets or applications. LayerZero continues to work with law enforcement on the investigation and is tracking the stolen funds.
In April, an Ethereum Foundation fellow identified 100 North Korean IT agents in Web3 companies.