Following a security breach that resulted in the loss of $291 million from Kelp DAO’s infrastructure, Aave users experienced significant difficulties withdrawing their funds due to a liquidity crunch. The attack involved exploiting a bridge designed for transferring an asset known as rsETH between networks on Saturday, leading Aave to suspend markets associated with this token, as stated by the lending platform in an X post.
Kelp DAO announced via an X post that it had temporarily halted rsETH contracts across Ethereum’s mainnet and several layer-2 scaling networks during its investigation into suspicious activity.
“Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate,” Kelp DAO stated on April 18, 2026. “We are working with@LayerZero_Core,@unichain, our auditors, and top security experts on RCA.”
The exploit led to a surge in the utilization rate of Aave’s core lending pool to 100%, indicating that users who deposited Ethereum or wrapped Ethereum had minimal liquidity for withdrawal, as per Aave’s data. Before Aave restricted market access, PeckShield detected a transaction involving 116,500 rsETH, valued at $291 million, directed to a new wallet.
Instead of directly stealing the rsETH from the compromised bridge, attackers borrowed regular funds on Aave, leading Francesco Andreoli, Consensys and MetaMask’s head of developer relations, to describe this as creating “massive bad debt” in an X post. (Note: Consensys is among many investors supporting an editorially independent Decrypt.)
Aave’s governance token dropped by 16% to $90.13 on Sunday, while Ethereum fell by 2% to $2,300 during the same timeframe according to CoinGecko.
As users struggled with withdrawals from Aave, they began converting their holdings into stablecoins for loans, exacerbating liquidity issues, as noted by monetsupply.eth, Spark’s pseudonymous strategy head, in an X post. The repercussions of the Kelp DAO exploit led to substantial withdrawals across various DeFi protocols, including those not directly affected, resulting in a net withdrawal of $6.2 billion from Aave alone by early Sunday, according to 0xngmi, co-founder of DefiLlama.
“The situation with Aave is deteriorating,” Quit, pseudonymous head of strategy at DeFi project Spark, commented on an X post. “Several pools are nearing full utilization, risking further bad debt for lenders.” Lending rates rose to between 10-15% during this period.
Blockchain researcher Stacy Muur suggested that the exploit exploited a single point of failure by using a “phantom” message, misleading Kelp DAO’s bridge into releasing rsETH on Ethereum without removing equivalent tokens from Unichain layer-2.
Despite these challenges, some sought solutions, like Justin Sun, Tron founder and crypto entrepreneur, who attempted to negotiate with the attackers, highlighting their difficulty in spending the stolen funds. “How much [do] you want?” he queried them on X. “It’s not worth bringing down both Aave and Kelp DAO over this incident.”