🚨 $292M Stolen. $13B Wiped. $AAVE Is Bleeding — But Not Dead.
Hackers just pulled off the biggest #defi exploit of 2026.
Here's what happened in plain English 👇
The Setup:
#KelpDAO is a protocol where you can stake ETH and get a receipt token called $rsETH. Think of rsETH like a casino chip — it represents real ETH underneath.
The Hack:
Attackers tricked KelpDAO's bridge into releasing 116,500 rsETH — roughly 18% of the token's entire circulating supply — worth $292M, to an address they controlled.
The Damage to #AAVE :
They took those fake/stolen chips and deposited them on Aave as collateral, then borrowed real ETH against them.
Result? $196M in bad debt sitting on Aave — concentrated in the rsETH/WETH pair on Ethereum.
The Panic:
Whales like Justin Sun and MEXC immediately pulled billions. Over $6B left Aave within 24 hours, pushing $ETH , USDT, and USDC pools to 100% utilization — meaning trapped depositors could not withdraw.
The AAVE Risk:
Aave's Umbrella reserve may not fully cover the $196M deficit — meaning stkAAVE holders could be on the hook to absorb losses.
The Big Picture:
Total DeFi TVL dropped $13.21 billion in 48 hours. Aave alone saw $8.45B in deposit outflows.
This overtakes the $285M Drift hack from April 1st as the largest DeFi exploit of 2026.
Aave's code was NOT hacked. The protocol itself is intact. But it accepted a token whose backing vanished on a bridge it doesn't control.
The real lesson?
DeFi's vulnerability isn't the code. It's what you accept as collateral.
