Aave Records $6B TVL Drop as Kelp Hack Exposes Structural Risk at DeFi Lender

The Kelp DAO exploit did not stop at Kelp. Within hours of the $292 million bridge attack on April 18, stolen rsETH tokens were deposited as collateral on Aave — the largest lending protocol in DeFi by total value locked — and used to borrow real assets against fraudulent backing. By Sunday morning, Aave had recorded a $6 billion TVL collapse and was sitting on an estimated $196 million in bad debt.

In Brief

• Aave's TVL dropped from $26.4B to approximately $20B after attackers used stolen rsETH as collateral to borrow WETH, generating $196M in uncollateralized debt concentrated in the rsETH-WETH pair on Ethereum mainnet.
• The April 18 exploit targeted Kelp DAO's LayerZero-powered cross-chain bridge, releasing 116,500 rsETH — roughly 18% of the token's entire circulating supply — to a wallet pre-funded via Tornado Cash.
• Aave's Umbrella insurance reserve may be insufficient to cover the shortfall, raising the possibility that stkAAVE stakers could absorb the residual losses directly.

How the Attack Cascaded into Aave

The Kelp DAO exploit drained $292 million from a LayerZero-powered cross-chain bridge on April 18, releasing 116,500 rsETH to an attacker wallet that had been funded through Tornado Cash ten hours earlier. The stolen rsETH represented approximately 18% of the token's total circulating supply — a shock large enough to make the asset effectively unbacked.

But the attack did not end at the bridge. Within hours, the fraudulently minted rsETH was deposited into Aave's Ethereum lending markets. Because Aave's oracle and collateral systems had no real-time mechanism to recognize that rsETH's underlying reserves had been compromised, the protocol processed the loans as legitimate. Borrowers extracted real WETH against synthetic, unbacked collateral — leaving Aave holding approximately $196 million in bad debt when positions could not be liquidated against actual value.

A $6 Billion TVL Collapse

Market participants responded immediately. Aave's TVL, which had stood at $26.4 billion on the morning of April 18, fell to approximately $20 billion by Sunday — a $6 billion decline driven by mass withdrawals from Ethereum-based lending pools. The AAVE governance token dropped 16% over the same period.

The bad debt is concentrated in the rsETH-WETH pair on Ethereum mainnet. Aave's Umbrella reserve — a pool of protocol-owned and staked assets designed to absorb shortfalls — may not be large enough to cover a deficit at this scale, raising the prospect that stkAAVE stakers could bear a portion of the residual loss.

The Structural Problem: LRT Collateral Risk

The incident has reignited long-running debates about the use of liquid restaking tokens (LRTs) as collateral in DeFi lending markets. Unlike major assets such as ETH or WBTC, LRTs are backed by cross-chain restaking positions whose integrity depends on multiple bridge and oracle systems operating correctly — simultaneously.

When Kelp DAO's bridge was exploited, rsETH did not immediately reprice to zero on Aave's oracle — creating a window in which the attacker could extract real value against an asset that had already lost its backing. This is what risk managers call collateral validity risk: the scenario where an asset appears to have value on-chain, but its reserves have already been compromised off-chain or across chains.

DeFi protocols that accept LRTs as collateral are now under pressure to implement faster oracle circuit breakers, tighter collateral concentration limits, and real-time cross-chain reserve monitoring — none of which are straightforward to build at production scale without introducing new points of failure.

The Bigger Picture

The Kelp-Aave incident is not simply the story of one compromised bridge and one unlucky lending protocol. It illustrates a structural tension at the core of DeFi's composability model: the more protocols interconnect, the greater the blast radius of any single failure.

rsETH's ability to function as Aave collateral while its underlying reserves were being drained was not a bug in Aave's code — it was a gap in the collective assumption that collateral prices reflect collateral reality. Bridged and restaked assets break that assumption by adding dependency chains that no single protocol can fully monitor in isolation.

As DeFi continues to layer restaking, bridging, and lending on top of one another, the industry will need not just better audits of individual protocols, but coordinated real-time risk infrastructure capable of detecting cross-chain failures before they propagate into lending markets.

Sources

• CoinDesk — Aave Records $6B TVL Drop as Kelp Hack Exposes Structural Risk, Apr 19 2026
• Kelp DAO — kelpdao.xyz
• Aave Protocol — aave.com

Want more Web3 × AI security coverage like this?

Join our Telegram community for real-time alerts on the biggest exploits, funding rounds, and AI breakthroughs in the space.

BlockAI News

Web3 × AI news, analysis & research. Daily edge for builders & investors. 🔗 blockainews.com

Telegram