- Aave froze rsETH markets after exploit minted unbacked tokens, leading to over $200M in borrowed assets.
- Attack created unliquidatable positions and about $177M bad debt, raising concerns over loss coverage.
- Market reacted sharply with price drops and liquidity outflows as users withdrew funds from affected pools.
Aave froze rsETH markets on V3 and V4 after a major exploit tied to KelpDAO’s bridge created bad debt across its lending pools. According to Aave, the issue did not originate from its contracts. The incident unfolded on April 18, when attackers used compromised collateral to borrow large amounts of ETH.
Exploit Origin and Immediate Response
The attack began with a vulnerability in KelpDAO’s cross-chain bridge. The exploiter manipulated the system to mint roughly 116,500 rsETH tokens without backing. These tokens were then deposited into Aave as collateral.
Subsequently, the attacker borrowed over 82,000 ETH and related assets across Ethereum and Arbitrum markets. According to Omer Goldberg, the total borrowed amount exceeded $200 million. Because the collateral lacked value, the positions became unliquidatable.
Aave responded by freezing all rsETH markets. This action stopped new deposits and prevented further borrowing against the asset. Stani Kulechov confirmed that the protocol acted to contain the risk quickly.
Market Reaction and Liquidity Impact
Following the incident, market conditions shifted. According to Lookonchain, AAVE dropped more than 18% during the day. Large holders began offloading tokens in multiple transactions.
Several whales sold significant positions at average prices near $103. Others converted holdings into ETH and WBTC. Meanwhile, liquidity moved out of the protocol.
Total value locked declined from $26.396 billion to $20.114 billion. Major withdrawals included $431 million from MEXC and over $400 million from other large wallets. These movements reflected broader risk reactions.
Bad Debt Concerns and Next Steps
The exploit left an estimated $177 million in bad debt within Aave’s wETH pool. This deficit raises questions about how losses will be handled. Aave stated it is reviewing borrow activity linked to the incident.
The protocol may rely on its Umbrella system, introduced in 2025, to cover losses. This mechanism allows staked assets to absorb deficits through slashing. However, the available coverage remains unclear.
Meanwhile, Marc Zeller urged users to withdraw WETH from affected pools. Aave confirmed that withdrawals remain active despite the freeze. KelpDAO has paused its contracts and continues investigating the breach.
