Aave's total value locked (TVL) plummeted by nearly $8 billion over the weekend, following a massive $293 million exploit on Kelp DAO. Hackers borrowed funds on Aave using collateral from the exploit, leaving an estimated $195 million in bad debt on the protocol and triggering widespread withdrawals.
DeFiLlama data reveals Aave's TVL dropped from approximately $26.4 billion to $18.6 billion, losing its position as the largest decentralized finance protocol. Aave v3's lending pools for USDt and USDC are now at 100% utilization, with over $5.1 billion in stablecoins unable to be withdrawn.
The incident underscores how quickly security risks can cascade through the interconnected DeFi lending market. The exploit began when hackers stole 116,500 Kelp DAO Restaked ETH (rsETH) tokens, worth around $293 million, from Kelp DAO’s bridge. These were then used as collateral on Aave v3 to borrow wrapped Ether (wETH).
Crypto analytics platform Lookonchain reported this created approximately $195 million in bad debt on Aave, contributing to a nearly 20% drop in the Aave (AAVE) token's value. Major withdrawals included $431 million from MEXC exchange and $392 million from Abraxas Capital.
Several crypto protocols tied to rsETH or the LayerZero bridge, including Curve Finance, Ethena, and BitGo’s Wrapped Bitcoin, have paused bridge usage. In response, Aave froze rsETH markets on Aave v3 and v4 to prevent further suspicious borrowing, stating that rsETH on Ethereum mainnet remains fully backed.