Aave Crashes Nearly 20% as $292 Million Kelp DAO Exploit Triggers DeFi-Wide Liquidity Crisis

By Jack April 19, 2026 10:31 pm Comments

The DeFi space took a major hit this weekend, and the damage is still spreading.

Kelp DAO, one of Ethereum’s largest liquid restaking protocols, was exploited for approximately $292 million after an attacker spoofed cross-chain messages through LayerZero’s bridge system. The stolen haul: 116,500 rsETH tokens, roughly 18% of the token’s entire circulating supply.

But the exploit itself is only part of the story. What happened next sent ripple effects through some of the biggest names in decentralized finance.

Trending: XRP Just Went Live on Solana for the First Time as Ripple CEO Says Demand ‘Keeps Growing’

The attacker didn’t just drain the tokens and disappear. They deposited the stolen rsETH as collateral on major lending protocols including Aave V3, Compound V3, and Euler, then borrowed approximately $236 million in ETH against it. That created a mountain of bad debt that Aave is now scrambling to contain.

Coin Bureau laid out the severity of the situation:

That 100% utilization figure is the detail that matters most here. When a lending pool hits full utilization, nobody can withdraw their funds. That’s not a minor technical hiccup. That’s a liquidity crisis, and it’s the kind of event that shakes confidence across the entire DeFi ecosystem.

Aave’s response was immediate: freeze rsETH markets across V3 and V4. SparkLend and Fluid followed suit. Lido paused earnETH deposits because of rsETH exposure. Even Ethena temporarily shut its LayerZero bridges as a precaution. The protocol-level dominoes fell fast.

The AAVE token took a beating as the fallout spread across DeFi markets.

CoinGecko captured the damage:

That nearly 18% single-day decline wiped approximately $6 billion from Aave’s total value locked. That kind of TVL drop doesn’t just hurt one protocol. It sends a signal to the entire market that cross-chain infrastructure still carries serious risk, even for the most battle-tested lending platforms in DeFi.

Crypto Briefing reported on the technical details of how the attack was executed:

Kelp DAO’s liquid restaking protocol experienced a $292 million exploit through LayerZero’s cross-chain messaging system. The attacker spoofed verification messages to fraudulently transfer 116,500 rsETH tokens, representing approximately 18% of the total 630,000 token supply.

The perpetrator manipulated LayerZero’s cross-chain verification system by fabricating legitimate transfer requests from another blockchain, enabling unauthorized token drainage.

Stolen funds flowed into lending protocols where the attacker deposited rsETH as collateral across Aave V3, Compound V3, and Euler, accumulated approximately 74,000 ETH, and generated $236 million in debt positions and $280 million in bad debt.

This is now the largest DeFi exploit of 2026, surpassing the Drift Protocol breach on April 1 by a few million dollars. And it comes during a brutal stretch: over $600 million has been stolen from DeFi protocols across more than 10 different platforms in the last two weeks alone.

The Kelp DAO team managed to pause the protocol’s contracts 46 minutes after the initial drain. Two follow-up attempts, each targeting another $100 million in rsETH, were successfully blocked. That’s a small silver lining in an otherwise ugly weekend for DeFi security.

For Ethereum holders and DeFi users watching this unfold, the takeaway is clear: the cross-chain bridges connecting these protocols remain the weakest link in the system. The technology keeps getting more sophisticated, and unfortunately, so do the people trying to break it.

Join the conversation!

We have no tolerance for comments containing violence, racism, profanity, vulgarity, doxing, or discourteous behavior. If a comment is spam, instead of replying to it please click the icon below and to the right of that comment. Thank you for partnering with us to maintain fruitful conversation.

 

Search ProCoinNews