Aave TVL Plummets $6.6B After Kelp Bridge Hack Exploit
Aave lost $6.6B in TVL after attackers drained 116,500 rsETH from Kelp's bridge and used the tokens as collateral to borrow $196M in WETH. The exploit exposed structural risk in DeFi lending, causing AAVE to drop 16% and daily fees to spike. Founder Stani Kulechov confirmed contracts were not compromised, but bad debt remains.
Quick Take
Aave TVL dropped from $26.4B to $20B in hours after Kelp exploit.
Attackers drained $292M rsETH from bridge, used as collateral on Aave.
AAVE token fell 16%, liquidations surged as depositors fled.
Umbrella reserve may not fully cover $196M borrow deficit.
Market Impact Analysis
BearishThe exploit exposed systemic risk in DeFi lending, leading to massive TVL outflows and confidence shake in liquid restaking tokens as collateral.
Speculation Analysis
Key Takeaways
- Aave's TVL collapsed from $26.4B to $20B after attackers exploited Kelp's bridge, depositing stolen rsETH as collateral.
- The attacker drained $292M in rsETH, then borrowed $196M in WETH on Aave, leaving a potential deficit for stkAAVE holders.
- AAVE price fell 16% to $92 as liquidations spiked and depositors fled, exposing systemic risk in DeFi lending protocols.
- The incident underscores the dangers of accepting liquid restaking tokens dependent on external bridge security.
What Happened
On Saturday, attackers tricked Kelp's cross-chain bridge into releasing 116,500 rsETH—worth $292 million—to a wallet they controlled. They immediately deposited the stolen tokens as collateral on Aave V3 and borrowed wrapped ether (WETH). Within hours, depositors withdrew funds en masse, slashing Aave's total value locked by $6.6 billion. Founder Stani Kulechov confirmed Aave's smart contracts were untouched, but the protocol now faces a $196 million borrowing hole it didn't create. The exploit hit Aave's largest lending pair—WETH and its collateral—accelerating the panic.
The Numbers
Aave's TVL tumbled from $26.4 billion to nearly $20 billion, a 25% drop. The AAVE token crashed 16% to $92, while daily fees surged to $1.99 million as liquidators scrambled. The attacker drained 116,500 rsETH ($292 million) from Kelp, then borrowed $196 million in WETH on Aave alone. Total bad debt across lending protocols, including Compound and Euler, topped $236 million. Liquidity evaporated as the market repriced the risk of liquid restaking tokens.
Why It Happened
Aave whitelisted rsETH, a liquid restaking token, as collateral without accounting for the possibility that Kelp's bridge—a separate infrastructure—could be compromised. When attackers minted unbacked rsETH via the bridge exploit, the token's value on Aave collapsed instantly. Risk models assumed pegged value under normal conditions, not a bridge hack. Concentrated borrowing against WETH amplified losses, as that pair makes up nearly 40% of Aave's book. The flaw lies in DeFi's cross-contract dependencies.
Broader Impact
This exploit lays bare the systemic fragility of lending protocols that rely on externally-issued receipt tokens. Any liquid staking derivative or restaking token introduces bridge risk beyond the lending platform's control. Stani Kulechov's suggestion that Umbrella might not cover the deficit raises the stakes: stkAAVE holders may bear losses, setting a precedent for risk socialization. Other protocols with LRT exposure must now reassess collateral risk parameters or face similar deposit runs.
What to Watch Next
- Whether Aave's Umbrella reserve can fully cover the $196 million shortfall or if a governance proposal will require stkAAVE dilution or slashing.
- Changes to Aave's collateral acceptance, including potential removal or heavy discounting of liquid restaking tokens.
- How Compound, Euler, and other lending platforms with rsETH exposure adjust risk parameters and whether depositors pull funds preemptively.
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
