Total value locked on decentralized lending protocol Aave dropped by nearly $8 billion over the weekend after hackers behind the $293 million Kelp DAO exploit borrowed funds on Aave, leaving roughly $195 million in “bad debt” on the protocol and triggering withdrawals.
Data from DeFiLlama shows that Aave’s TVL fell from about $26.4 billion to $18.6 billion by Sunday, losing the top spot as the largest DeFi protocol.
Aave v3’s lending pools for USDt (USDT) and USDC (USDC) are now at 100% utilization, meaning that more than $5.1 billion worth of stablecoins cannot be withdrawn until new liquidity arrives or borrows are repaid.
Aave’s TVL fall shows how rapidly risk from a single security incident can spread throughout the broader, interconnected DeFi lending market, potentially leading to a severe liquidity crisis.
The incident began on Saturday when hackers stole 116,500 Kelp DAO Restaked ETH (rsETH) tokens worth about $293 million from Kelp DAO’s LayerZero-powered bridge and used them as collateral on Aave v3 to borrow wrapped Ether (wETH).
Crypto analytics platform Lookonchain said the move created about $195 million in “bad debt” on Aave, which contributed to the Aave (AAVE) token tanking nearly 20% from $112 on Saturday at 6:00 pm UTC to $89.5 about 25 hours later.
Lookonchain noted that some of the largest crypto whales to withdraw funds from Aave were the MEXC crypto exchange and Abraxas Capital at $431 million and $392 million, respectively.
Several crypto networks and protocols tied to rsETH or the LayerZero bridge have paused use of the bridge until the problem is resolved, including DeFi platform Curve Finance, stablecoin issuer Ethena and BitGo’s Wrapped Bitcoin (WBTC).
Aave has frozen several rsETH, wETH markets
Shortly after the Kelp DAO exploit, Aave said it froze the rsETH markets on both Aave v3 and v4 to prevent any suspicious borrowing and later stated that rsETH on Ethereum mainnet remains fully backed by underlying assets.
WETH reserves also remain frozen on Ethereum, Arbitrum, Base, Mantle and Linea, Aave said.
This incident marks the first significant stress test of Aave’s “Umbrella” security model, which was introduced in June 2025 to provide automated protection against protocol bad debt while enabling users to earn rewards.
Related: Aave DAO backs V4 mainnet plan in near-unanimous vote
Earlier this month, the Bank of Canada found that Aave avoided bad debt in its v3 market by using overcollateralization, automated liquidations and other strategies that shifted risk to borrowers.
In comments to Cointelegraph, Aave defended its liquidation-based model, framing it as a core safety mechanism that protects lenders while limiting downside for borrowers.
It comes as Aave parted ways with its longest-standing DeFi risk service provider, Chaos Labs, on April 6, following disagreements over the direction of Aave v4 and budget constraints.
Magazine: Are DeFi devs liable for the illegal activity of others on their platforms?
