Aave’s TVL Falls $8B After $293M Kelp DAO Hack
The total value locked up on decentralized lending protocol Aave dropped by nearly $8 billion over the weekend after hackers behind the $293 million Kelp DAO allegedly siphoned off funds borrowed by Aave, leaving about $195 million in “bad debt” on the protocol and causing withdrawals.
According to DeFillama data, Aave's TVL dropped from $26.4 billion to $18.6 billion on Sunday, the largest DeFi protocol losing its top spot.
The Aave v3 loan pools for USDt (USDT) and USDC (USDC) are now 100% used, meaning that over $5.1 billion worth of stablecoins cannot be withdrawn until new liquidity or loans are repaid.
The failure of Aave's TVL shows how quickly the risk of a single security risk can spread to the wider, interconnected defrayed loan market, potentially leading to severe liquidity problems.
The incident began on Saturday when hackers stole 116,500 Kelp DAO Restaked ETH (rsETH) tokens worth an estimated $293 million from a bridge running Kelp DAO LayerZero and wrapped them in Aave v3 and used them to borrow Ether (wETH).
Crypto analytics platform Lookonchain's move created about $195 million in “bad debt” on Aave, causing the Aave (AAVE) token tanking nearly 20% from $112 at 6:00 pm UTC on Saturday to $89.5 25 hours later.
Lookonchain observed that among the biggest crypto whales to withdraw funds from Aave were MEXC crypto exchange and Abraxas Capital with $431 million and $392 million respectively.
Several crypto networks and protocols linked to the rsETH or LayerZero bridge have stopped using the bridge until the issue is resolved, including DeFi platform Curve Finance, stablecoin issuer Etena, and Bitgo's Rolled Bitcoin (WBTC).
Aave has blocked several rsETH, wETH markets
Shortly after the Kelp DAO exploit, Ave said it froze the rETH market on both Aave v3 and v4 to prevent any suspicious lending, and later said that rETH on the Ethereum mainnet is fully backed by underlying assets.
WETH stocks remain frozen on Ethereum, Arbitrum, Base, Mantle and Linea, Aave said.
This event will mark the first significant stress test of Aave's “Umbrella” security model, which will allow users to receive rewards and automatic protection from protocol bad debt in June 2025.
Related: Aave DAO supports V4 mainnet plan near unanimous vote
Earlier this month, Canadian bank Ave was found to have avoided bad debt in its v3 market by using excessive leverage, automated liquidations and other strategies that shift risk to borrowers.
In comments to Cointelegraph, Ave defended the liquidity-based model, framing it as a primary security mechanism that protects lenders and limits risks to borrowers.
It comes as Aave parted ways with DeFi venture provider Chaos Labs on April 6 following disagreements over Aave v4's direction and budget constraints.
Magazine: Are DeFi devs liable for their illegal actions on other platforms?
