Kelp-linked liquidity withdrawal triggers ~66% collapse in Aave TVL

Aave’s lending pools were hit by a liquidity run after the April 18 Kelp DAO exploit spilled into its rsETH-backed borrowing markets. (governance.aave.com) (cointelegraph.com) The trigger was not an Aave smart-contract bug. Aave said an attacker exploited Kelp’s LayerZero route at 17:35 UTC on April 18, withdrew 116,500 rsETH, and then opened active rsETH-backed loans across Aave markets. (governance.aave.com) Aave’s Guardian froze rsETH and wrapped rsETH markets starting at 18:52 UTC on April 18 across Ethereum, Arbitrum, Base, Mantle, Linea and other deployments. Aave said existing positions stayed open, but no new deposits or borrows against rsETH collateral were allowed. (governance.aave.com) The immediate damage showed up in withdrawals. Aavescan data cited by Cointelegraph showed Aave’s total supplied balance falling from $45.8 billion on Saturday to $30.8 billion by Wednesday, a roughly $15 billion drop in four days. (cointelegraph.com) (aavescan.com) DefiLlama’s read on Aave’s total value locked was lower because it measures a different balance, but it still showed the same direction: about $14.2 billion as of April 26, down 34.3% over seven days. (defillama.com) Aave’s own incident report put the rsETH-linked shortfall at about $123 million to $230 million, depending on how losses are assigned across chains and token holders. The report said 89,567 rsETH had been deposited into Aave before the freeze. (governance.aave.com) (cointelegraph.com) In a lending protocol, suppliers expect to withdraw the assets they deposited, while borrowers post collateral and take loans against it. When the collateral turns out to be unbacked, the protocol can be left with bad debt — loans that are still owed even after the collateral no longer covers them. (governance.aave.com) That is what tightened Aave’s wrapped Ether market. Cointelegraph, citing Talos, reported Aave v3’s wrapped Ether pool briefly hit 100% utilization, meaning all available liquidity had been borrowed and suppliers could not all exit at once. (cointelegraph.com) The bridge failure that started this was narrow but costly. Aave’s report said Kelp’s Unichain-to-Ethereum rsETH route was configured as a 1-of-1 Decentralized Verifier Network path, letting a forged inbound message release Ethereum-side rsETH without a matching burn on the source chain. (governance.aave.com) (layerzero.network) LayerZero said the exploit was isolated to KelpDAO’s rsETH configuration and tied it to the single-verifier setup rather than broader contagion across other LayerZero assets. Chainalysis said the theft totaled about $292 million and linked the attack to Lazarus Group infrastructure. (layerzero.network) (chainalysis.com) Governance debate shifted quickly from containment to who should absorb losses. Forum posts discussed using Aave DAO treasury resources to protect wrapped Ether lenders, while other members warned that reopening withdrawals too fast could increase each remaining supplier’s pro-rata exposure. (governance.aave.com 1) (governance.aave.com 2) By April 26, the market panic had eased only partially: Aave still showed sharply lower supplied balances, lower TVL and an unresolved governance fight over how to close the rsETH hole without shaking confidence in the rest of the protocol. (aavescan.com) (defillama.com) (governance.aave.com)