Aave Loses $8 Billion in TVL After Hackers Exploit Kelp DAO to Create $195M Bad Debt
Largest DeFi protocol faces first stress test of Umbrella security model as stablecoin pools hit 100% utilization
Quick Look
- Aave's total value locked dropped by nearly $8 billion to $18.6 billion after hackers behind the $293 million Kelp DAO exploit used stolen rsETH as collateral on Aave v3 to borrow wETH, creating approximately $195 million in bad debt.
- The incident triggered mass withdrawals, with MEXC exchange and Abraxas Capital removing $431 million and $392 million respectively.
- USDT and USDC lending pools are now at 100% utilization, locking over $5.1 billion in stablecoins.
AI-generated summary
Why It Matters
Aave is the largest DeFi lending protocol by TVL. The Kelp DAO exploit represents one of the largest DeFi hacks. This was the first significant stress test of Aave's Umbrella security model introduced in June 2025. The Bank of Canada had recently analyzed Aave's risk management in v3 markets.
Total value locked on decentralized lending protocol Aave dropped by nearly $8 billion over the weekend after hackers behind the $293 million Kelp DAO exploit borrowed funds on Aave, leaving roughly $195 million in "bad debt" on the protocol and triggering withdrawals. Data from DeFiLlama shows that Aave's TVL fell from about $26.4 billion to $18.6 billion by Sunday, losing the top spot as the largest DeFi protocol. Aave v3's lending pools for USDt (USDT) and USDC (USDC) are now at 100% utilization, meaning that more than $5.1 billion worth of stablecoins cannot be withdrawn until new liquidity arrives or borrows are repaid. Aave's TVL fall shows how rapidly risk from a single security incident can spread throughout the broader, interconnected DeFi lending market, potentially leading to a severe liquidity crisis. The incident began on Saturday when hackers stole 116,500 Kelp DAO Restaked ETH (rsETH) tokens worth about $293 million from Kelp DAO's LayerZero-powered bridge and used them as collateral on Aave v3 to borrow wrapped Ether (wETH). Crypto analytics platform Lookonchain said the move created about $195 million in "bad debt" on Aave, which contributed to the Aave (AAVE) token tanking nearly 20% from $112 on Saturday at 6:00 pm UTC to $89.5 about 25 hours later. Lookonchain noted that some of the largest crypto whales to withdraw funds from Aave were the MEXC crypto exchange and Abraxas Capital at $431 million and $392 million, respectively. Several crypto networks and protocols tied to rsETH or the LayerZero bridge have paused use of the bridge until the problem is resolved, including DeFi platform Curve Finance, stablecoin issuer Ethena and BitGo's Wrapped Bitcoin (WBTC). Aave has frozen several rsETH, wETH markets. Shortly after the Kelp DAO exploit, Aave said it froze the rsETH markets on both Aave v3 and v4 to prevent any suspicious borrowing and later stated that rsETH on Ethereum mainnet remains fully backed by underlying assets. WETH reserves also remain frozen on Ethereum, Arbitrum, Base, Mantle and Linea, Aave said. This incident marks the first significant stress test of Aave's "Umbrella" security model, which was introduced in June 2025 to provide automated protection against protocol bad debt while enabling users to earn rewards. Earlier this month, the Bank of Canada found that Aave avoided bad debt in its v3 market by using overcollateralization, automated liquidations and other strategies that shifted risk to borrowers. In comments to Cointelegraph, Aave defended its liquidation-based model, framing it as a core safety mechanism that protects lenders while limiting downside for borrowers. It comes as Aave parted ways with its longest-standing DeFi risk service provider, Chaos Labs, on April 6, following disagreements over the direction of Aave v4 and budget constraints.
What to Watch
AI outlook — possibilities, not facts
Aave will likely implement emergency governance proposals to address the bad debt and restore liquidity
Very likely · Within weeks
Regulatory scrutiny of DeFi lending protocols will increase following this incident
Likely · Within months
LayerZero bridge usage will face prolonged suspension across multiple protocols
Likely · Within weeks
Open Questions
- Will Aave recover the $195 million in bad debt?
- How will the Umbrella security model handle this situation?
- What additional protocols may be affected by the LayerZero bridge exploit?
- Will institutional investors return to Aave?






