Stolen tokens triggered a run on Aave, rattling confidence across crypto markets.
Dubai: A nearly $300 million hack involving a little-known crypto project has snowballed into a wider crisis of confidence across digital asset markets, leading to billions of dollars in withdrawals from one of the sector’s biggest lending platforms and prompting an industry-backed rescue effort.
The exploit, which targeted infrastructure connected to Kelp DAO, led to the theft of a derivative version of Ether known as rsETH. The attack centred on a cross-chain bridge developed by LayerZero, a type of software widely regarded as one of the most vulnerable points in the crypto ecosystem.
Security researchers, including PeckShield and Cyvers, said the scale and sophistication of the breach suggest the possible involvement of North Korea-linked hacking groups. The attackers were able to create around 116,500 rsETH tokens without underlying asset backing, severely damaging confidence in their value.
Collateral shock spreads
What followed broke from the usual pattern seen in past crypto breaches. Instead of quickly laundering or selling the stolen funds, the attackers deployed a large share of the tokens within decentralised lending markets. According to PeckShield, around $200 million worth of rsETH was deposited on Aave and used as collateral to borrow other cryptocurrencies, with total borrowing estimated at roughly $236 million.
That move sparked widespread concern among Aave users over the quality of the collateral backing those loans. Uncertainty over whether rsETH remained fully backed — or had effectively been created without real assets — raised questions about who would ultimately absorb any losses.
The response was swift. Data from DefiLlama showed Aave recorded roughly $9 billion in net outflows in the days following the hack, with total value locked on the platform falling by more than a third to around $17.5 billion. Some estimates placed total withdrawals closer to $10 billion as users rushed to exit their positions.
Run on liquidity
Market participants described the episode as the decentralised finance equivalent of a bank run. Pratik Kala, a portfolio manager at Apollo Crypto, said users focused on pulling funds rather than assessing risks as uncertainty spread.
“Depositors are running because Aave is carrying a hole it did not create,” Kala said. “Withdraw first, ask questions later is the golden rule.”
Aave said in a post on X that its analysis showed rsETH circulating on the Ethereum blockchain remained fully backed, while confirming that markets for the token had been frozen as a precaution. The platform did not immediately respond to further requests for comment.
Rescue effort builds
Even as withdrawals accelerated, efforts began to stabilise the system. According to blockchain analytics firm Arkham, Aave and several major crypto firms coordinated a recovery initiative that has raised nearly $160 million to cover bad debt linked to the incident.
The funding effort, which has not been formally announced, is aimed at restoring liquidity for the rsETH token and addressing losses tied to compromised collateral. Data from Arkham shows that a significant share of the funds — around 55,000 ETH, valued at roughly $127 million — came from the Aave and Mantle communities.
Stani Kulechov, founder of Aave, also contributed directly to the effort, pledging 5,000 ETH worth about $11.7 million at current prices. His involvement highlights the level of internal support for stabilising the protocol and containing broader fallout.
The central aim of the recovery plan is to remove the protocol’s impaired debt and restore user confidence. By replenishing liquidity tied to rsETH, participants hope to calm market panic and prevent further contagion across interconnected platforms.
Risks laid bare
The episode has renewed scrutiny of structural vulnerabilities within decentralised finance, particularly around cross-chain bridges. These systems, which enable asset transfers between blockchains, have repeatedly been targeted by attackers because of their complexity and the large concentration of funds they handle.
The latest incident adds to a string of major exploits this year. In March, Drift Protocol suffered losses of roughly $270 million after an attacker exploited a feature known as “durable nonces,” highlighting risks that extend beyond conventional software bugs.
Taken together, these incidents point to persistent weaknesses in DeFi infrastructure and the potential for isolated breaches to trigger system-wide stress. In this case, the use of compromised tokens as collateral amplified the damage, turning what began as a contained exploit into a broader liquidity crisis.
