Users of Aave encountered difficulties withdrawing funds after attackers used stolen rsETH tokens to borrow assets on the platform, driving a key lending pool’s utilization rate to 100% and effectively draining available liquidity.
The disruption followed a major exploit targeting infrastructure linked to Kelp DAO, in what observers described as one of the largest decentralized finance (DeFi) breaches of the year.
Blockchain security firm PeckShield first flagged suspicious activity, noting that approximately 116,500 rsETH—valued at around $291 million—was transferred to a newly created wallet. The exploit targeted a cross-chain bridge built using LayerZero infrastructure, which enables asset transfers and communication between blockchains.
Kelp DAO confirmed it had “paused rsETH contracts” across Ethereum mainnet and several layer-2 networks as it investigates the incident.
Borrowing Activity Strains Aave Liquidity
Rather than directly stealing user deposits from Aave, attackers used the compromised rsETH as collateral to borrow other assets from the platform. This activity sharply increased the utilization rate of a core lending pool to 100%, meaning all available liquidity had been borrowed and leaving depositors unable to withdraw funds.
Data from Aave monitoring tools showed that deposits of Ethereum and wrapped Ethereum were effectively locked, as no available liquidity remained in the affected pools.
Francesco Andreoli said the attack created “massive bad debt,” as the borrowed funds were unlikely to be repaid due to the compromised collateral backing them.
Aave responded by freezing markets associated with rsETH shortly after detecting the abnormal activity.
$6.2 Billion in Withdrawals Reflect Contagion Fears
The incident triggered widespread concern across the DeFi ecosystem, prompting users to withdraw funds not only from Aave but also from other protocols.
According to 0xngmi, Aave experienced approximately $6.2 billion in net withdrawals by early Sunday, reflecting a broader flight to safety.
Meanwhile, monetsupply.eth noted that users began borrowing stablecoins against their deposits during the liquidity crunch, further straining the system and creating what he described as “negative secondary effects.”
Market Impact and Broader Reaction
The fallout weighed on market sentiment. Aave’s governance token declined to around $90, marking a 16% drop over 24 hours, while Ethereum fell approximately 2% to $2,300 over the same period.
The exploit also intensified scrutiny of cross-chain infrastructure, particularly systems that rely on message-passing protocols. Blockchain researcher Stacy Muur suggested the attack may have exploited a single point of failure, using a “phantom” message to trick the bridge into releasing rsETH without properly accounting for tokens on another network.
The incident has renewed concerns about systemic risks in DeFi, especially as vulnerabilities in one protocol can quickly cascade into others.
Industry Response and Calls for Resolution
As the situation unfolded, some industry figures sought to mitigate damage. Justin Sun publicly addressed the attackers, suggesting they would face difficulties moving the stolen funds and proposing negotiations.
“How much do you want?” Sun wrote, arguing that the attackers risked causing widespread damage across interconnected platforms.
Legal experts also weighed in on the broader implications. Salman Banei said the incident provides “a lot of ammo” for critics of decentralized systems that aim to replace traditional financial intermediaries with code.
Structural Risks Resurface
The exploit highlights ongoing challenges in DeFi, particularly around cross-chain bridges and liquid staking derivatives such as rsETH, which represent staked assets while remaining tradable.
Kelp DAO’s rsETH token functions as a liquid staking receipt, allowing users to earn rewards from Ethereum staking and restaking protocols while maintaining liquidity.
However, the reliance on bridging infrastructure introduces additional layers of risk, as vulnerabilities in message validation or accounting mechanisms can lead to significant losses.
The incident comes amid a broader wave of exploits affecting DeFi protocols in recent weeks, underscoring persistent security challenges in the sector.
Analysis: The Kelp DAO Exploit Didn’t Just Break a Bridge — It Broke Aave’s Liquidity Model
Something snapped.
Not gradually. Not quietly.
One moment Aave is functioning like it always does — deposits in, borrowers out, interest ticking — and the next, users can’t withdraw.
That’s not supposed to happen on a “battle-tested” protocol.
And yet here we are.
This Wasn’t a Simple Hack — It Was a Chain Reaction
The exploit didn’t hit Aave directly.
That’s the part most people misunderstand.
The attackers hit the bridge. Specifically, infrastructure tied to LayerZero, which was used by Kelp DAO to move rsETH across chains.
Then they did something smarter.
They didn’t just dump the stolen asset.
They used it.
They took that rsETH, walked into Aave, and borrowed against it.
Real assets. Real liquidity.
That’s where things broke.
Utilization Hit 100% — That’s the Red Line
If you’ve ever used Aave, you know the metric that matters most: utilization rate.
It tells you how much of the pool is already borrowed.
Normal conditions? 60%, maybe 80% in stressed markets.
100%?
That’s game over.
It means:
No liquidity left.
No withdrawals.
Everyone is locked unless someone repays.
And guess what?
The borrower here isn’t repaying.
I’ve Seen Liquidity Stress Before — This Felt Different
There’s a difference between “tight liquidity” and “system freeze.”
This was the latter.
Users weren’t just facing delays. They were hitting a wall.
And the reaction was immediate.
People started pulling funds. Fast.
Then faster.
$6.2 Billion Doesn’t Leave Without Panic
When 0xngmi says $6.2 billion exited Aave, that’s not casual rotation.
That’s fear.
That’s users looking at the system and thinking:
“If I don’t get out now, I might not get out at all.”
And it didn’t stay isolated.
Funds started leaving other protocols too.
Classic contagion.
The Smart Move That Made It Worse
Here’s where it gets interesting.
Users who couldn’t withdraw started borrowing instead.
Stablecoins.
Against their locked ETH.
Think about that behavior.
They’re basically saying:
“I can’t exit, so I’ll extract liquidity another way.”
But that only drains the system further.
It’s like trying to escape a sinking boat by drilling holes in the floor.
The “Bad Debt” Problem Nobody Wants to Price In
Francesco Andreoli called it “massive bad debt.”
He’s not exaggerating.
Because if the collateral (rsETH) is compromised or inflated due to the exploit, then the loans taken against it are effectively undercollateralized.
That gap?
Someone has to absorb it.
And in DeFi, that usually means:
Liquidity providers.
The Bridge Failure — A Single Point of Failure Strikes Again
Stacy Muur pointed to a “phantom message.”
That’s the nightmare scenario.
A message that convinces the system something happened… when it didn’t.
So the bridge releases tokens on one chain…
Without properly locking or burning them on another.
Now you’ve got synthetic supply.
Unbacked.
Floating around like it’s real.
That’s not just a bug.
That’s a structural failure.
This Is Why Bridges Keep Getting Hit
Let’s be blunt.
Bridges are the weakest link in DeFi.
They’re complex.
They rely on messaging.
They often depend on validators or relayers.
Every added layer is another attack surface.
And attackers know this.
They don’t go for the hardest target.
They go for the most interconnected one.
The Justin Sun Moment — Desperation or Strategy?
Justin Sun jumping in with “how much do you want?” says a lot.
That’s not standard behavior.
That’s someone recognizing systemic risk.
Because if Aave collapses — or even just loses trust — the ripple effects hit everything.
Lending. Liquidity. Collateral chains.
All of it.
This Was a Stress Test — And It Exposed the Cracks
Aave didn’t get hacked.
But it still broke.
That’s the key takeaway.
Because the system relies on:
- Reliable collateral
- Predictable liquidity
- Functional bridges
Break one, and the rest start wobbling.
Break it fast enough, and you get what we just saw.
What I’d Do Here
I’m not rushing back into lending pools.
Not blindly.
Not until I understand:
- What collateral is actually backing positions
- How exposed protocols are to cross-chain assets
- Whether liquidity can handle stress
Because this wasn’t a black swan.
It was a known risk playing out.
The Only Question That Matters Now
How much bad debt is still sitting in the system?
Because until that’s resolved, this isn’t over.
It’s just paused.
Disclaimer
This article is for informational and educational purposes only and does not constitute financial, investment, trading, or legal advice. Cryptocurrencies, memecoins, and prediction-market positions are highly speculative and involve significant risk, including the potential loss of all capital.
The analysis presented reflects the author’s opinion at the time of writing and is based on publicly available information, on-chain data, and market observations, which may change without notice. No representation or warranty is made regarding accuracy, completeness, or future performance.
Readers are solely responsible for their investment decisions and should conduct their own independent research and consult a qualified financial professional before engaging in any trading or betting activity. The author and publisher hold no responsibility for any financial losses incurred.