Rebeca Moen
Apr 27, 2026 19:35
A solid LayerZero message drained $292M, triggering a liquidity collapse on Aave. WETH liquidity dropped from $689M to $1.5M in hours.
A solid LayerZero message focusing on Kelp DAO on April 18, 2026, drained 116,500 rsETH ($292 million) and triggered the most important liquidity freeze in Aave’s historical past. Inside two hours, WETH liquidity on Aave V3 collapsed from $689 million to only $1.5 million. The protocol’s whole obtainable liquidity contracted by 41%, falling from $9.77 billion to $5.75 billion in 29 hours.
The attacker exploited a vulnerability in Kelp DAO’s rsETH Omnichain Fungible Token (OFT) adapter, utilizing compromised LayerZero verifier nodes to forge a cross-chain message. The stolen rsETH was looped as collateral throughout Aave, Compound, and Euler, netting $236 million in WETH and wstETH earlier than Kelp DAO paused operations. Aave’s automated techniques functioned as designed, however the assault’s scale overwhelmed reserves, driving utilization to 100% and freezing liquidity.
Liquidity Collapse Levels
The liquidity squeeze unfolded in 5 levels:
- Pre-event baseline (17:00 UTC): Aave’s whole obtainable liquidity stood at $9.77 billion.
- Exploit window (18:00-19:00 UTC): Liquidity dropped $1.56 billion (-16%). WETH reserves plummeted by 99.8%.
- rsETH freeze to WETH freeze (19:00-03:00 UTC): Panic borrowing additional drained $1.1 billion as USDT and USDC liquidity hit zero.
- Put up-WETH freeze stabilization: The tempo of withdrawals slowed, with reserves contracting by $538 million.
- Continued stabilization: Liquidity fell by $673 million, pushed by wstETH and WBTC withdrawals.
The Protocol Guardian froze WETH borrowing at 02:28 UTC on April 19, almost seven hours after reserves have been exhausted. This motion prevented additional pressure but additionally restricted replenishment by way of new deposits.
Structural Dangers Revealed
The incident uncovered dangers inherent in layered token techniques like rsETH, which depend on a number of good contracts, governance mechanisms, and cross-chain verifiers. A failure on the deepest layer—LayerZero’s verifier community—cascaded upward, leaving rsETH holders and Aave depositors uncovered. Put up-exploit evaluation from LlamaRisk estimates unhealthy debt between $123.7 million and $230.1 million, with ~$71 million frozen by the Arbitrum Safety Council providing partial restoration potential.
Market Response
The broader DeFi ecosystem noticed $13.2 billion wiped from whole worth locked (TVL) over 48 hours, pushed by pressured liquidations and asset withdrawals. AAVE, Aave’s governance token, dropped 21% from $115 to $90 throughout the occasion. Notably, institutional urge for food for ETH publicity remained intact, with U.S. spot ETFs recording $111.2 million in post-event inflows by April 21, led by BlackRock’s ETH funds.
Key Takeaways
Three essential classes emerge:
- Cross-chain verifier configurations want the identical rigor as oracles to stop comparable exploits.
- Shared-liquidity fashions like Aave’s face amplified dangers throughout high-utilization occasions. Remoted-market designs, comparable to Morpho Blue, demonstrated larger resilience, limiting losses to $1 million.
- The wrapped token stack, significantly liquid staking derivatives, amplifies danger when cross-chain parts are concerned. Nevertheless, the broader LRT class held up, with no main repricing of stETH or associated property.
Aave’s governance now faces a pivotal resolution: learn how to allocate losses throughout stakeholders. Restoration of the frozen $71 million from the exploiter’s pockets may slim the injury and restore confidence within the protocol’s long-term viability.
Picture supply: Shutterstock