Aave saw its total value locked (TVL) plummet by $6.6 billion, dropping from $26.4 billion to nearly $20 billion. The AAVE token experienced a 16% decline. This dramatic outflow occurred after attackers exploited Kelp's bridge, draining 116,500 rsETH tokens. These stolen assets were then used as collateral on Aave V3 to borrow wrapped ether, creating a significant deficit. On-chain data indicates the Aave-specific borrow related to this exploit stands at approximately $196 million.
Aave, the largest lending protocol in decentralized finance, accepts user deposits to generate yield and allows borrowing against collateral. Kelp, a liquid restaking protocol, issues rsETH receipts for staked ether routed through EigenLayer. These rsETH tokens were then used as collateral on Aave. The exploit targeted Kelp's cross-chain bridge, allowing attackers to seize rsETH and leverage it on Aave. While Aave's founder stated the protocol's contracts were not compromised, the reliance on external liquid restaking tokens and the vulnerability of bridges highlight structural risks within the DeFi ecosystem. The situation raises questions about the adequacy of reserve coverage and potential losses for stkAAVE holders.