Aave (AAVE) Suffers Historic Liquidity Freeze After rsETH Exploit

A forged LayerZero message targeting Kelp DAO on April 18, 2026, drained 116,500 rsETH ($292 million) and triggered the largest liquidity freeze in Aave's history. Within two hours, WETH liquidity on Aave V3 collapsed from $689 million to just $1.5 million. The protocol’s total available liquidity contracted by 41%, falling from $9.77 billion to $5.75 billion in 29 hours.

The attacker exploited a vulnerability in Kelp DAO’s rsETH Omnichain Fungible Token (OFT) adapter, using compromised LayerZero verifier nodes to forge a cross-chain message. The stolen rsETH was looped as collateral across Aave, Compound, and Euler, netting $236 million in WETH and wstETH before Kelp DAO paused operations. Aave’s automated systems functioned as designed, but the attack’s scale overwhelmed reserves, driving utilization to 100% and freezing liquidity.

Liquidity Collapse Stages

The liquidity squeeze unfolded in five stages:

• Pre-event baseline (17:00 UTC): Aave’s total available liquidity stood at $9.77 billion.
• Exploit window (18:00-19:00 UTC): Liquidity dropped $1.56 billion (-16%). WETH reserves plummeted by 99.8%.
• rsETH freeze to WETH freeze (19:00-03:00 UTC): Panic borrowing further drained $1.1 billion as USDT and USDC liquidity hit zero.
• Post-WETH freeze stabilization: The pace of withdrawals slowed, with reserves contracting by $538 million.
• Continued stabilization: Liquidity fell by $673 million, driven by wstETH and WBTC withdrawals.

The Protocol Guardian froze WETH borrowing at 02:28 UTC on April 19, nearly seven hours after reserves were exhausted. This action prevented further strain but also limited replenishment via new deposits.

Structural Risks Revealed

The incident exposed risks inherent in layered token systems like rsETH, which rely on multiple smart contracts, governance mechanisms, and cross-chain verifiers. A failure at the deepest layer—LayerZero’s verifier network—cascaded upward, leaving rsETH holders and Aave depositors exposed. Post-exploit analysis from LlamaRisk estimates bad debt between $123.7 million and $230.1 million, with ~$71 million frozen by the Arbitrum Security Council offering partial recovery potential.

Market Response

The broader DeFi ecosystem saw $13.2 billion wiped from total value locked (TVL) over 48 hours, driven by forced liquidations and asset withdrawals. AAVE, Aave’s governance token, dropped 21% from $115 to $90 during the event. Notably, institutional appetite for ETH exposure remained intact, with U.S. spot ETFs recording $111.2 million in post-event inflows through April 21, led by BlackRock’s ETH funds.

Key Takeaways

Three critical lessons emerge:

1. Cross-chain verifier configurations need the same rigor as oracles to prevent similar exploits.
2. Shared-liquidity models like Aave’s face amplified risks during high-utilization events. Isolated-market designs, such as Morpho Blue, demonstrated greater resilience, limiting losses to $1 million.
3. The wrapped token stack, particularly liquid staking derivatives, amplifies risk when cross-chain elements are involved. However, the broader LRT category held up, with no major repricing of stETH or related assets.

Aave’s governance now faces a pivotal decision: how to allocate losses across stakeholders. Recovery of the frozen $71 million from the exploiter’s wallet could narrow the damage and restore confidence in the protocol’s long-term viability.