In just two days, the total value locked (TVL) in the leading crypto lending platform Aave plummeted from $26.3 billion to $17.7 billion, according to data from DefiLlama.
The price of the AAVE token dropped by more than 15% to $91, with its market capitalization falling from $1.8 billion to $1.3 billion.
In Aave v3, the pools for USDT and USDC have been completely depleted. Assets worth $5.1 billion are frozen and can only be withdrawn after new liquidity flows in or loans are repaid.
Impact of the Kelp Hack
The decline in Aave's metrics was triggered by a hack on the liquid restaking protocol Kelp. On April 18, hackers stole 116,500 rsETH valued at $293 million from the cross-chain bridge Kelp DAO, built on LayerZero.
The attackers deposited the stolen tokens into Aave v3 as collateral and borrowed wETH against them. They borrowed approximately $196 million directly on the platform, with their total positions in Aave, Compound, and Euler reaching around $236 million.
According to Lookonchain, this operation left the project with a balance shortfall of about $195 million—these funds are irretrievable.
Due to the KelpDAO exploiter borrowing over 82,600 $ETH ($195M) from #Aave using $RSETH as collateral, bad debt has appeared on #Aave.
— Lookonchain (@lookonchain) April 19, 2026
Many whales have withdrawn funds from #Aave, causing its TVL to drop from $26.396B to $20.114B—a decline of $6.28B.
Major withdrawals… pic.twitter.com/rhN28AMul9
Curve Finance founder Mikhail Egorov also noted that Aave and other protocols now hold hundreds of millions of dollars in questionable collateral and unrecoverable debts.
“Aave has rsETH that cannot be sold, and there is no ETH because it is all tied up in loans. No one can withdraw Ethereum,” he added.
Initially, the project team stated that the Umbrella reserve fund would cover any shortfall. However, this was later softened to “exploring compensation options.”
The rsETH markets on Aave V3 and Aave V4 have been frozen. Aave's contracts have not been exploited, and this is an exploit related to rsETH.
— Aave (@aave) April 18, 2026
The freeze follows an exploit of the Kelp DAO rsETH bridge. Freezing the rsETH markets prevents new deposits and borrowing against rsETH…
The rsETH markets in versions v3 and v4 have been frozen to prevent suspicious activities. Reserves of wETH are locked on Ethereum, Arbitrum, Base, Mantle, and Linea.
Several projects, including Curve Finance and Ethena, have suspended the use of the Kelp DAO bridge until further notice, as well as other networks and protocols working with rsETH or LayerZero.
The outflow of funds has also affected Solana. Journalist Colin Wu pointed out that deposit rates and utilization ratios surged on several USDC markets in Kamino, the leading lending protocol in the network.
The USDC reserve in the Prime Market, totaling $178 million, has been completely depleted—there are no available funds, and the utilization of several other vaults has exceeded 95%.
The total TVL of the entire DeFi sector has fallen from $99.4 billion to $85.8 billion.
LayerZero Investigation
Kelp DAO is continuing to investigate the causes of the incident. Meanwhile, LayerZero developers have shared initial findings from their internal investigation.
— LayerZero (@LayerZero_Core) April 20, 2026
According to them, the attack was carried out by North Korean hackers, specifically the TraderTraitor group, which has been linked to hacks on Ronin ($625 million), Bybit ($1.5 billion), and Drift Protocol ($280 million).
LayerZero explained that the attackers gained access to the list of RPC servers used by the decentralized verified network (DVN) of LayerZero Labs. They then “poisoned” two of them, causing them to deliver a fake cross-chain message to the DVN.
The attackers also launched a DDoS attack on clean servers, forcing the network to rely on the poisoned ones.
Kelp used a single scheme without reservation, allowing the false request to pass, and the bridge unlocked the tokens.
“Exploiting a single point of failure meant that the independent verifier could not intercept and reject the forgery. LayerZero and other external parties had previously advised the project on best practices for diversifying the DVN. Despite these recommendations, Kelp opted for a 1/1 DVN scheme,” the experts noted.
They emphasized that the infection did not affect other assets or applications. LayerZero continues to work with law enforcement for further investigation and is tracking the stolen funds.
It is worth noting that in April, an Ethereum Foundation scholar identified 100 North Korean IT agents in Web3 companies.