The DeFi lending platform Aave has seen its total value locked (TVL) plummet by $6.6 billion, not due to a direct breach of its own systems but because of a security exploit at another protocol. On April 18, Aave’s TVL stood at $26.4 billion, dropping to approximately $20 billion in the early U.S. hours of Sunday, according to DefiLlama data.
The decline was accompanied by a 16% drop in the price of the AAVE token, bringing it down to $92, while daily fees surged to $1.99 million due to increased liquidations over the weekend.
The mass withdrawal stems from concerns about a loophole that became apparent when attackers siphoned off 116,500 rsETH from Kelp’s cross-chain bridge on Saturday. This stolen amount, valued at roughly $292 million, was then used as collateral in Aave V3, allowing the attackers to borrow wrapped ether.
Aave reported an estimated $196 million of this borrowing specifically within its platform, with total positions across Aave, Compound, and Euler reaching around $236 million.
Kelp operates as a liquid restaking protocol on Ethereum, transforming staked ETH through EigenLayer for additional yields, issuing receipts known as rsETH in exchange.
The stolen rsETH was deposited into Aave V3 by the attackers, leveraging it to secure loans against wrapped ether. This breach highlights vulnerabilities in the system, as Aave had initially promised that its Umbrella reserve would address any deficits but later softened this stance by considering alternative ways to manage the shortfall.
Aave’s extensive loan book encompasses 22 different blockchain networks; however, Ethereum alone constitutes $14.24 billion of the $17.82 billion in outstanding borrows, with wrapped ETH representing 39.49% of all loans on the platform. This concentration makes it especially susceptible to such targeted attacks.
Stani Kulechov, Aave’s founder, confirmed that while the exploit was external and did not compromise Aave’s contracts directly, accepting liquid restaking tokens as collateral exposed depositors to significant risk when these tokens lost their backing through a compromised bridge.
The incident underscores a critical flaw in how DeFi protocols model risks, particularly by assuming stable pegs under normal conditions without accounting for the possibility of complete devaluation due to exploits.
The community is now focused on whether Aave’s Umbrella reserve can sufficiently cover this financial gap and if stkAAVE holders supporting that reserve will bear the losses. As trader Altcoin Sherpa pointed out, given that Aave serves as a foundational element in DeFi, any risks associated with it reflect broader systemic vulnerabilities.