The total volume of blocked funds (TVL) in the decentralized lending protocol Aave decreased by $8.9 billion over one weekend — a consequence of the KelpDAO hack, during which hackers stole $293 million and used the stolen assets to create "bad debt" on the platform.
Chart of blocked funds in Aave. Source: DeFiLlama
According to DeFiLlama, Aave's TVL dropped from $26.4 billion to $17.5 billion by April 20, stripping the protocol of its title as the largest in the DeFi space. Meanwhile, the AAVE token plummeted by 26% — from $112 to $82.4.
1-week candlestick chart AAVE/USDT
How the hack unfolded
On April 18, attackers stole 116,500 tokens of KelpDAO Restaked ETH (rsETH) worth approximately $293 million via a LayerZero-based bridge. The stolen tokens were used as collateral in Aave v3, under which the hackers borrowed wrapped Ethereum (wETH). According to analytics platform Lookonchain, this led to the creation of about $195 million in 'bad debt' within the protocol.
The situation was exacerbated by mass withdrawals from users. Among the largest was the crypto exchange MEXC, which withdrew $431 million, and Abraxas Capital with $392 million. As a result, the liquidity pools of USDT and USDC in Aave v3 were completely depleted: over $5.1 billion in stablecoins became unavailable for withdrawal until new liquidity came in or loans were repaid.
Protocol reactions
Shortly after the attack, Aave froze the rsETH markets on v3 and v4 versions to block suspicious borrowing operations. The reserves of wETH also remain frozen across Ethereum, Arbitrum, Base, Mantle, and Linea. The protocol confirmed that rsETH on the Ethereum mainnet is still fully backed by the underlying assets.
A number of other protocols and networks related to rsETH or the LayerZero bridge also paused operations — in particular, Curve Finance, the issuer of the Ethena stablecoin, and Wrapped Bitcoin from BitGo.
First stress test of the Umbrella model
The incident marked the first serious test of Aave's security system called Umbrella, launched in June 2025. The model is designed for automatic protection against 'bad debt' while simultaneously rewarding users.
Notably, the attack occurred shortly after Aave parted ways with its long-time risk management service provider — Chaos Labs. The split happened on April 6 amidst disagreements over the development of Aave v4 and budget constraints.
#AaveProtocol #AAVE #defi #Write2Earn
