The $2.92 Billion Theft Incident at KelpDAO Triggers a Chain Reaction: Aave Withdraws Over $54 Billion, Lending Market Risk Reassessed

BlockBeats News, April 19th - Multi-chain liquidity staking platform KelpDAO was attacked early this morning. The attacker withdrew 116,500 rsETH from KelpDAO's LayerZero-based cross-chain bridge, totaling approximately $2.92 billion, making it the largest DeFi security incident to date in 2026. About 46 minutes later, KelpDAO responded by urgently pausing the multisig, freezing core components including the LRT liquidity pool, withdrawal contracts, oracles, and the rsETH token. Kelp stated that they had detected abnormal cross-chain activities involving rsETH and had temporarily paused relevant contracts on the mainnet and several L2s, while conducting root cause analysis with LayerZero and others.

Two subsequent attacks by the perpetrator were unsuccessful, as the pause measures effectively prevented further fund loss. The attacker attempted to withdraw an additional 40,000 rsETH (around $1 billion), and if successful, the total loss could have expanded to approximately $3.91 billion. The attacker swiftly borrowed funds on protocols such as Aave, Compound, Euler, and Fluid, causing multiple protocols to experience defaults. Aave suffered approximately $177 million in defaults, Compound suffered approximately $39.4 million, and Euler suffered about $840,000. Aave was the most affected, having frozen the rsETH markets in V3 and V4, stating that the event was related to the rsETH asset and not an issue with the protocol's smart contracts. Aave mentioned they are assessing the lending situations post-event and stated that if there are protocol defaults, they will "explore ways to bridge the gap."

The majority of the rsETH stolen by the KelpDAO attacker was deposited into Aave as collateral to borrow ETH, while a small portion was directly sold for ETH. Through collateralization and selling, the hacker obtained 106,466 ETH (approximately $2.5 billion). For hedging purposes, over $54 billion in assets were moved out of Aave after the hacker borrowed a significant amount of ETH using illegally minted rsETH. This included Justin Sun retrieving 65,584 ETH ($154 million). The capital utilization rate of ETH on Aave briefly reached 100%.

Curve founder Michael Egorov stated in a post, "This event is a result of the widely adopted 'non-isolated lending' model, which carries inherent risks. While this model offers good scalability, it comes with higher risks, emphasizing the critical need for risk management. Aave's v4 hub and spoke model may be a step towards a semi-isolated, more secure direction."

Crypto KOL benmo.eth stated in a post that the KelpDAO's rsETH hack had far-reaching implications, Aave's security "fortress" was breached, and the risk of the uniform lending market is back in the spotlight of whale scrutiny. Aave V4 and modular lending may become future trends, with the transformation process potentially accelerating. DeFi will halt its expansion path, shifting towards a more conservative security model, while also needing to further address AI-driven security threats such as Anthropic Mythos.

Bankless co-founder Ryan Sean Adams wrote in a post, "The frequency of crypto hacks has reached an all-time high. I believe this is related to AI. AI is giving hackers 'dark superpowers.' Defense must catch up soon; we are running out of time."