Aave Grapples with Devastating Crypto Breach

A devastating breach has shaken the DeFi ecosystem, with Aave at its epicenter. On April 18, 2026, an attacker discovered and exploited a critical flaw in KelpDAO's LayerZero bridge infrastructure, fabricating 116,500 rsETH tokens without any legitimate underlying assets.

The perpetrator executed a sophisticated strategy, supplying approximately 90,000 fraudulent rsETH tokens to Aave as legitimate collateral. This enabled the withdrawal of roughly $190 million in ETH and additional cryptocurrencies across both Ethereum mainnet and Arbitrum networks. The maneuver trapped Aave with fundamentally valueless collateral, leading to a classic liquidity crisis reminiscent of traditional bank runs.

Aave's total value locked hemorrhaged approximately $10 billion almost immediately following the breach. By April 21, net capital outflows reached roughly $9 billion, with TVL collapsing from above $17.5 billion to approximately $14.3 billion. The contagion effect rippled throughout decentralized finance, with a total value locked contraction of approximately $13 billion across all DeFi lending platforms combined.