Crypto : The Kelp Hack Plunges Aave into Turmoil

Aave lost more than 6 billion dollars of deposits after the Kelp hack, and this is exactly what the crypto market is sanctioning today. The protocol was not hacked directly. But it faces a risk it did not create, which is enough to trigger a brutal capital flight and a drop in the AAVE token. According to CoinDesk and DefiLlama, Aave’s total value locked dropped from about 26.4 billion to less than 20 billion, while the token fell around 16%.

An external hack that ends up in Aave’s accounts

The starting point lies with Kelp. The attack targeted the rsETH bridge, not Aave’s smart contracts. About 116,500 rsETH, or nearly 292 million dollars, were drained, then used as collateral on Aave V3 to borrow wrapped ether. That is where the problem moved.

In short, Aave was not “hacked,” but it accepted as collateral an asset whose backing value disappeared elsewhere. This is an important technical nuance. For the market, it changes almost nothing. When collateral becomes doubtful, depositors seek the exit. And in crypto, this exit is often immediate.

The potential hole linked to Aave is estimated around 177 to 200 million dollars according to early assessments relayed this weekend. This is not an accounting detail. It is a loss hitting the heart of the largest lending protocol in DeFi, therefore an actor many still considered a relatively robust piece of the crypto infrastructure.

The real problem is not Kelp, but the risk model

This case goes beyond a simple incident. It shows that crypto risk never stops at the protocol you use. Aave integrated liquid restaking tokens because they yield returns and take a growing place in the Ethereum ecosystem. On paper, it seemed coherent. In practice, it added a dependency on an external link.

The problem is that risk models often work well in a normal scenario. They absorb price variations, liquidations, sometimes even volatility shocks. However, they manage much less well a situation where the collateral suddenly loses its credibility due to a compromised bridge on another layer of the system. That is exactly what this case highlights.

Aave remains massively concentrated on Ethereum. DefiLlama shows that Ethereum represents the largest share of its TVL, and CoinDesk also points out that WETH weighs heavily in its borrowing book. In other words, the attack did not hit a marginal pocket. It struck one of the most sensitive market pairs of the protocol.

The question is no longer just what happened. The real question is who will pay. Aave initially suggested that its safety reserve, Umbrella, could absorb the shock. Then the discourse was made more cautious. This change of tone was enough to instill doubt. And in decentralized finance, doubt quickly becomes very costly.