TLDR
- A $292–$293 million exploit of KelpDAO’s bridge caused a $13.21 billion drop in total DeFi value locked (TVL) over 48 hours
- Hackers stole 116,500 rsETH tokens and used them as fake collateral on Aave to borrow funds, creating ~$195 million in bad debt
- Aave’s TVL fell from $26.4 billion to $18.6 billion, losing its spot as the largest DeFi protocol
- Aave’s USDT and USDC pools hit 100% utilization, meaning over $5.1 billion in stablecoins cannot be withdrawn right now
- DeFi tokens AAVE, UNI, and LINK saw only modest price drops despite the massive capital outflow
A $293 million hack of KelpDAO’s bridge over the weekend triggered one of the largest DeFi capital exits in recent memory, wiping out $13.21 billion in total value locked across decentralized finance platforms in just 48 hours.
Update: Aave's TVL has dropped to $17.947B, down $8.45B over the past 2 days.
The total TVL of all DeFi protocols across all chains has also dropped from $99.497B to $86.286B, a decline of $13.21B.https://t.co/mxLuMwJ8LU https://t.co/p1DRnv5gqj pic.twitter.com/fFyhjhjOLE
— Lookonchain (@lookonchain) April 20, 2026
The attack began on Saturday when hackers stole 116,500 rsETH tokens — worth around $293 million — from KelpDAO’s LayerZero-powered bridge. They then used those stolen tokens as collateral on Aave, a leading DeFi lending platform, to borrow wrapped Ether.
Because the stolen rsETH had no legitimate backing, the borrowing left Aave with roughly $195 million in bad debt. Think of it like depositing counterfeit cash at a bank and taking out a real loan against it.
Aave’s TVL dropped from about $26.4 billion to $18.6 billion by Sunday, according to DeFiLlama. That decline knocked Aave off its position as the largest DeFi protocol by deposits.
Across all of DeFi, TVL fell from $99.5 billion to $86.3 billion in the same window. Double-digit percentage drops were recorded across platforms including Euler, Sentora, and Aave, with losses concentrated in lending and restaking strategies.
The AAVE token fell nearly 20%, dropping from $112 on Saturday to around $89.50 a day later. That move was driven in part by large withdrawals from major players. Crypto analytics firm Lookonchain identified MEXC exchange and Abraxas Capital as two of the biggest exits, pulling $431 million and $392 million respectively.
Stablecoin Pools Frozen as Utilization Hits 100%
Aave’s USDT and USDC pools on version 3 are now at 100% utilization. That means more than $5.1 billion in stablecoins are currently locked and cannot be withdrawn until new liquidity enters or existing loans are repaid. At the time of writing, only $2,540 was available to withdraw from the $2.87 billion USDT pool.
In response to the exploit, Aave froze rsETH markets on both its v3 and v4 platforms. It also froze WETH reserves across Ethereum, Arbitrum, Base, Mantle, and Linea. Aave later confirmed that rsETH on Ethereum mainnet remains fully backed by underlying assets.
Several other protocols also paused their use of the LayerZero bridge, including Curve Finance, Ethena, and BitGo’s Wrapped Bitcoin.
What Investigators Are Finding
Early analysis from Peter Chung, head of research at Presto Research, suggests the issue may have started in the bridge’s verification layer rather than its smart contracts. He also noted that the event shows how tightly connected DeFi protocols can spread risk well beyond the original point of failure.
This incident is the first major stress test of Aave’s “Umbrella” security model, introduced in June 2025 to provide automated protection against bad debt. It also comes just two weeks after Aave parted ways with risk service provider Chaos Labs on April 6, following disagreements over Aave v4’s direction and budget.
