Skip to Content

Aave Exploit: 93M Kelp DAO Hack Triggers DeFi Crisis

Largest 2026 exploit forces protocol overhaul and 1M court battle
Sk Jabedul Haque
Jun 29, 2026 5 min read 1 views
Aave Exploit: 93M Kelp DAO Hack Triggers DeFi Crisis
Navigation
10 Sections
    Aave, the largest DeFi lending protocol, faces its biggest crisis yet after a $293 million Kelp DAO bridge exploit drained rsETH collateral, leaving $177-200 million in bad debt across Aave's wETH pool and triggering an $8.45 billion deposit run that stripped the protocol of its top DeFi ranking.

    Aave, the world's largest decentralized lending protocol, is reeling from the fallout of the largest DeFi exploit of 2026. On April 18, attackers exploited a vulnerability in Kelp DAO's LayerZero-powered bridge to mint 116,500 unbacked rsETH tokens worth approximately $293 million. The stolen collateral was used to borrow wrapped ether from Aave's lending pools, leaving the protocol with an estimated $177-200 million in bad debt across its wETH market.

    What Happened

    On April 18, 2026, North Korea's Lazarus Group exploited a single-signer DVN (Decentralized Verifier Network) on Kelp DAO's LayerZero bridge, minting 116,500 unbacked rsETH tokens worth approximately $292 million. The attackers used the fraudulent rsETH as collateral on Aave to borrow $236 million in wrapped ether (wETH), leaving Aave with $177-200 million in bad debt across its wETH lending pool. Aave's total value locked plummeted from $26.4 billion to $17.9 billion — a 33% drop that cost the protocol its position as the largest DeFi platform. The AAVE token fell 16% as panic withdrawals accelerated. Aave immediately froze rsETH markets and initiated emergency governance procedures to contain the damage. Galaxy Research classified the attack as a "textbook" bridge exploit enabled by a single point of failure in LayerZero's verification layer.

    Why It Matters

    The Kelp DAO exploit revealed systemic risks in DeFi's reliance on cross-chain bridges and restaked assets. For the broader DeFi ecosystem managing $80+ billion in total value, the incident demonstrated how a single bridge vulnerability can cascade across protocols, triggering bank-run dynamics that threaten financial stability. The exploit forced Aave Labs to fundamentally rewrite its collateral and listing standards — expanding risk assessment beyond financial metrics to include cybersecurity and smart contract architecture reviews. The DeFi lending sector faces increased scrutiny. Regulators and institutional investors are now scrutinizing DeFi's operational resilience more closely than ever. Aave's TVL dropped from above $32 billion to $20.3 billion on Ethereum mainnet, while total DeFi TVL fell from roughly $95 billion to $80 billion.

    What's Next

    A New York federal court has delayed ruling on Aave's emergency motion to unfreeze $71 million in ETH recovered by the Arbitrum Security Council, with a June hearing scheduled as creditors represented by Gerstein Harrow assert competing claims. Meanwhile, Aave's binding Arbitrum governance vote — opened May 15 — seeks to transfer 30,765 ETH to Aave LLC for victim repayment. Aave Labs has published a comprehensive rsETH restoration plan committing to refill 117,132 rsETH over two phases, while simultaneously rolling out V4 infrastructure designed to rebuild securities finance on-chain. Stani Kulechov maintains the protocol's core contracts performed as designed, attributing losses to third-party bridge failures. The outcome of the court battle and the effectiveness of new collateral standards will set precedents for DeFi risk management in 2026 and beyond.

    Frequently Asked Questions

    On April 18, 2026, attackers exploited a LayerZero bridge vulnerability in Kelp DAO's rsETH protocol, draining approximately $293 million in what became the largest DeFi hack of the year. North Korea's Lazarus Group forged LayerZero lzReceive messages through a single-signer DVN to mint 116,500 unbacked rsETH tokens.
    Attackers used fraudulent rsETH as collateral to borrow $236 million in wETH from Aave, creating $177-200 million in bad debt and triggering an $8.45 billion deposit run that dropped Aave's TVL by 33% from $26.4 billion to $17.9 billion. The AAVE token fell 16% as panic withdrawals accelerated.
    Blockchain forensics and Galaxy Research attribute the attack to North Korea's Lazarus Group. The attackers exploited a single-signer DVN on Kelp DAO's LayerZero bridge to forge lzReceive messages and mint unbacked rsETH tokens across multiple chains.
    The Arbitrum Security Council froze 30,765 ETH recovered from the exploit. A New York federal court has delayed Aave's emergency motion to unfreeze the funds, with a June hearing scheduled as creditors represented by Gerstein Harrow assert competing claims over the recovered assets.
    Aave Labs is overhauling its collateral and listing standards to include cybersecurity and architecture reviews, expanding risk assessment beyond financial metrics. The protocol is also rolling out V4 infrastructure with enhanced securities finance capabilities and has published a comprehensive rsETH restoration plan to refill 117,132 rsETH over two phases.
    Sk Jabedul Haque

    Sk Jabedul Haque

    Founder & Chief Editor

    Building India's most trusted finance education platform — simplifying news, calculators, and market trends so anyone can understand and invest confidently.