Kelp DAO Exploit Sparks Aave Liquidity Crunch, $6.2 Billion Withdrawal Panic

Less than a day after attackers drained $291 million in crypto from infrastructure linked to decentralized finance project Kelp DAO, users on Aave, one of DeFi’s most battle-tested protocols, struggled to withdraw funds amid a liquidity crunch.

A bridge that typically allows users to move an asset called rsETH from one network to another was exploited on Saturday, prompting Aave to freeze markets tied to the token, which attackers had used to borrow funds from the platform, the lending protocol said in an X post.

Meanwhile, Kelp DAO said in an X post that it had “paused rsETH contracts” across Ethereum’s mainnet and several layer-2 scaling networks as it investigates suspicious activity.

The attackers’ activity on Aave caused the so-called utilization rate of a core lending pool to spike to 100%, signaling that users who previously deposited Ethereum and wrapped Ethereum have been left with little to no liquidity to withdraw, Aavescan data showed.

An hour before Aave locked down the markets, blockchain security firm PeckShield flagged a transaction showing 116,500 rsETH, worth $291 million at the time, flowing to a fresh wallet.

The attackers didn’t abscond with rsETH that had been maliciously released from the bridge. Rather, they used Aave to borrow regular funds, creating “massive bad debt,” Francesco Andreoli, head of developer relations at Consensys and MetaMask, said in an X post. (Disclaimer: Consensys is one of many investors in an editorially independent Decrypt.)

Aave’s governance token plunged to $90.13 on Sunday, a 16% decrease over the past day, according to CoinGecko. Ethereum fell 2% to $2,300 over the same period.

As users struggled to withdraw from Aave, they began borrowing against their deposits in stablecoins, straining the liquidity further as a sign of “negative secondary effects,” said monetsupply.eth, the pseudonymous head of strategy at DeFi project Spark, in an X post.

The Kelp DAO exploit and ensuing fallout on Aave prompted a massive wave of withdrawals from several DeFi protocols, even those that were unaffected, according to 0xngmi, the pseudonymous co-founder of data provider DefiLlama. On a net basis, users had yanked $6.2 billion from Aave alone by early Sunday, they said in an X post.

With contagion appearing to spread, DeFi’s latest exploit provides “a lot of ammo” for critics skeptical of systems that seek to replace traditional financial intermediaries with code, Salman Banei, general counsel at Plume, a network focused on tokenization, said in an X post.

Kelp DAO issues rsETH, a liquid staking token that allows users to earn Ethereum staking and EigenLayer restaking rewards. It acts as a tradeable “receipt” for Kelp DAO depositors. The Kelp DAO bridge was built on top of infrastructure designed by LayerZero, a protocol that allows DeFi applications to send messages and transfer assets across blockchains.

Stacy Muur, a noted blockchain researcher, said in an X post that the exploit appeared to rely on a single point of failure. She wrote that a “phantom” message used by attackers essentially tricked Kelp DAO’s bridge into releasing rsETH on Ethereum without removing a corresponding amount of tokens from circulation on Ethereum layer-2 Unichain.

Nonetheless, some onlookers were eager to find a path forward, including crypto entrepreneur and Tron founder Justin Sun. He attempted to negotiate, arguing that the attackers would ultimately struggle to spend the stolen funds.

“How much [do] you want?” he asked them in an X post. “It’s simply not worth it to sacrifice both Aave and Kelp DAO and let them go down over this hack.”