Aave Battles Existential Crisis Following Year’s Largest Crypto Breach

Table of Contents On April 18, 2026, a cybercriminal discovered and exploited a critical flaw in KelpDAO’s LayerZero bridge infrastructure, fabricating 116,500 rsETH tokens without any legitimate underlying assets. KelpDAO (@KelpDAO) Hack Update: The hacker has finished converting all the stolen 75,701 $ETH (~$175M) into $BTC, using THORChain and other swap routes on Ethereum. Meanwhile, the crypto community is stepping up to help cover the losses:🔹 Mantle (@Mantle_Official) has… https://t.co/YGNJdWlCl0 pic.twitter.com/I0hJOTqB4B — Crypto Patel (@CryptoPatel) April 24, 2026 Instead of immediately liquidating these counterfeit tokens, the perpetrator executed a more sophisticated strategy. Approximately 90,000 fraudulent rsETH tokens were supplied to Aave as legitimate collateral, enabling the withdrawal of roughly $190 million in ETH and additional cryptocurrencies across both Ethereum mainnet and Arbitrum networks. This maneuver trapped Aave with fundamentally valueless collateral. Once users recognized the situation’s severity, panic-driven mass withdrawals commenced, creating a classic liquidity crisis reminiscent of traditional bank runs. Aave’s total value locked hemorrhaged approximately $10 billion almost immediately following the breach. By April 21, net capital outflows reached roughly $9 billion, with TVL collapsing from above $17.5 billion to approximately $14.3 billion. The contagion effect rippled throughout decentralized finance. Across all DeFi lending platforms combined, total value locked contracted by approximately $13 billion in the 48-hour period following public disclosure of the exploit. Arbitrum’s security council responded swiftly, successfully freezing 30,766 ETH—valued around $71 million—connected to the malicious activity. Unfortunately, the majority of stolen assets had already been converted to Bitcoin via Thorchain, substantially complicating any potential recovery efforts. Aave alongside its service ecosystem launched “DeFi United,” a coordinated emergency response aimed at recapitalizing rsETH reserves and containing bad debt from contaminating additional lending markets. Lido Finance emerged as the first major protocol to commit resources. The Lido Labs Foundation proposed contributing up to 2,500 stETH, representing approximately $5.7–$6 million, into a designated recovery fund. This contribution would activate only if aggregate commitments prove sufficient to address the complete deficit. EtherFi subsequently announced plans to allocate 5,000 ETH toward user protection and bad debt prevention. Separately, Aave founder Stani Kulechov personally committed 5,000 ETH to the recovery effort. “Aave is my life’s work and we’re working nonstop to find the best possible outcome for users,” Kulechov posted on X. Lido’s participation carries strategic self-interest. The protocol operates an EarnETH vault with direct rsETH exposure, and absent coordinated intervention, vault participants face potential losses approaching 9,000 ETH. To prevent additional damage escalation, Aave implemented emergency pauses on rsETH reserves spanning Ethereum Core, Arbitrum, Base, Mantle, and Linea while recovery strategies continue development. According to Aave’s official incident documentation, the total deficit exceeds 112,000 rsETH. DeFi United’s strategy focuses on system stabilization through new capital injections rather than pursuing recovery of already-stolen assets. Aave indicated that additional commitments from ecosystem participants are anticipated once formal confirmation processes conclude.