Lending protocol Aave records a massive capital outflow amounting to $5.4 billion in ether (ETH)—approximately 2.3 million units—after an exploit was confirmed on the Kelp DAO bridge yesterday, April 18, 2026.
As a consequence of this fact, ETH utilization rate on Aave reached 100%, while governance token AAVE plummets 20% in the last 24 hours.
The sequence of events began on Saturday, April 18, when An attacker managed to breach the interchain bridge (cross-chain) by Kelp DAOwhich uses the LayerZero messaging infrastructure. The perpetrator drained 116,500 rsETH (liquid reset ether), representing 18% of the total circulating supply of the token.
The value of what was stolen amounts to 292 million dollars, making it the biggest DeFi hack so far in 2026overcoming the attack suffered by the Drift protocol that, as reported by CriptoNoticias, occurred on April 1.
The attacker used a vulnerability in LayerZero’s validation logic to trick the Kelp DAO bridge. By sending forged messaging instructions, the protocol interpreted a funds release order from another network as valid, resulting in the bulk transfer of rsETH to addresses controlled by the hacker.
ZachXBT, researcher on-chain, confirmed thatattacker addresses were originally funded through Tornado Cashmaking it difficult to initially trace the identity of the perpetrator. Even though Kelp DAO’s emergency pause system froze the contracts, the attacker had already secured the main loot.
The impact on Aave has been systemic due to the integration of rsETH as collateral into the version 3 (V3) and recently released version 4 (V4) markets. By pledging support for the rsETH token—which relies on reserves in the now-drained bridge—it created an immediate risk of bad debt (bad debt) for Aave.
Aave Labs acted reactively:
- Market freezing: They were suspended all operations with rsETH to avoid new deposits or borrowing against this asset.
- WETH Lock: Stani Kulechov, founder of Aave, confirmed the preventive freezing of the Wrapped Ether (WETH) markets as a containment measure to protect the solvency of the protocol.
However, these measures did not prevent the “bank run.” Uncertainty over rsETH parity and the solvency of funds on Aave caused a massive outflow of assets. This massive leak has drained the available ETH reserves in the protocol, bringing the utilization rate to 100%.
A 100% utilization rate means that all ETH deposited in Aave is currently borrowed. In this state, depositors who still hold funds in the protocol cannot withdraw their capital or close positions that require the return of ETH, creating a liquidity lock.
The market has reacted severely. As seen in the image below, the price of the AAVE token is currently trading with a loss of 20% in the last 24 hours, reflecting investor fear.
The crisis has also exacerbated political tensions within Aave’s governance. In it official protocol forumusers and delegates have questioned the role of key figures. Criticism directed at Marc Zeller, of the Aave Chan Initiative (ACI), suggests a fracture in decision-making after the loss of influence against Aave Labs.
In an unexpected turn, Justin Sun, founder of the Tron network, posted a direct message to the attacker via X: «KelpDAO hacker, how much do you want? Let’s talk. It’s not worth sacrificing Aave and KelpDAO for this. “You can’t spend $300 million anyway.”
This negotiation attempt seeks to turn the exploit into a “white hat hack,” where the attacker returns the majority of the funds in exchange for a reward and a promise not to take legal action. So far, there is no confirmation of a response from the addresses linked to the theft.