- Hackers tricked Kelp’s cross‑chain bridge into sending 116,500 rsETH to their wallet.
- About $200 million in stolen tokens was dumped into Aave as collateral.
- Aave’s TVL dropped to $17.56 billion, while its token declined roughly 20%.
A big crypto hack rattled the DeFi sector, prompting over $9 billion to be withdrawn from the lending platform Aave. The withdrawals came after a weekend hack that drained nearly $300 million from a DeFi project (KelpDAO), shaking user confidence across the board.
Two days ago, hackers tricked Kelp’s cross‑chain bridge into sending 116,500 rsETH (worth almost $300 million) to a wallet they owned.
After the exploit, the hackers dumped about $200 million in stolen tokens into Aave, using them as collateral to borrow other crypto. This raised fears that the collateral could become worthless or unrecoverable.
As worry spread, users flooded out of Aave (the biggest DeFi lender), pulling their money in one of the largest capital flight events DeFi has ever seen.
The main cause for the panic wasn’t the actual hack, but how the stolen funds were used. If the stolen tokens lose value or become frozen, Aave could be left with unbacked loans. Plus, DeFi protocols operate automatically, meaning they can’t easily intervene in real time.
Following the exploit, Aave’s TVL (Total Value Locked) has dropped to $17.56 billion, which represents an approximately 35% drop.
As for the AAVE token itself, its price declined around 20%, compared to just two days ago. It’s currently sitting at roughly $90.
DeFi Remains Vulnerable
Analysts have been pointing out for some time that the DeFi sector is developing and expanding too fast, which might cause the security to lag and not be up to date.
DeFi lets users lend, borrow, and earn interest without intermediaries, but that comes with smart contract and oracle manipulation risks. On top of that, collateral volatility is always present.
In fact, the KelpDAO incident is just the latest in a string of DeFi security issues. For instance, just a few weeks ago, Drift, a notable decentralized exchange, suffered a $285 million exploit. That particular event sparked a heated debate over stablecoin issuers like Circle, after users slammed them for not freezing the stolen USDC fast enough.
Also in 2026, the DeFi Solana-based platform Step Finance shut down a month later after it got hacked in late January, with about 261,000 SOL stolen (roughly $27 million at the time).
Related: Nine DeFi Protocols Frozen After $293 Million KelpDAO rsETH Exploit
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
