Aave Halts WETH Withdrawals After KelpDAO Exploit

A recent exploit of the KelpDAO liquid restaking protocol has led to a significant liquidity crunch in decentralized finance (DeFi) markets. The attack, which occurred on April 18, 2026, resulted in the theft of $292 million worth of rsETH tokens.

The attacker exploited a vulnerability in KelpDAO's cross-chain bridge built on LayerZero infrastructure and forged messages to release 116,500 rsETH without burning the corresponding tokens. The stolen tokens were then deposited as collateral into major lending protocols, including Aave V3, Compound V3, and Euler.

The unbacked rsETH tokens used to borrow massive amounts of Wrapped Ethereum (WETH) have left Aave with an estimated $177 million to $290 million in bad debt. To contain the fallout, Aave governance stepped in and froze all rsETH markets and WETH reserves across its V3 and V4 platforms on affected chains.

The incident has also led to a massive wave of withdrawals from Aave, with users pulling roughly $6.2 billion out of the platform. The native AAVE governance token crashed between 16% and 18% within 24 hours as large holders and whales dumped millions of dollars worth of the asset.