Why I withdrew everything from Aave this weekend

Full disclosure: I americium a DeFi idiosyncratic with progressive vulnerability to Aave V3, including lent stablecoins and ETH. This is an sentiment portion connected however I withdrew, wherefore I decided to propulsion each of it, and what I americium watching now. This is not fiscal proposal successful immoderate way. Do your ain research, speech to a professional, and ne'er enactment connected a azygous article, including this one.

I spent astir of Sunday morning, April 19, doing 2 things, refreshing DefiLlama and waiting for transactions to confirm.

By the clip I got coffee, Aave had mislaid astir $6.6 cardinal successful deposits successful nether 24 hours, the WETH excavation was astatine 100% utilization, and depositors were softly being told that withdrawals mightiness not enactment the mode they expected. I was 1 of those depositors. I americium nary longer.

This is the communicative of however I got there, what I saw, and the reasoning down pulling retired wholly alternatively of waiting it out.

Related: Major DeFi hack becomes the largest of 2026 yet

The header is misleading. Aave was not hacked. Its astute contracts performed precisely arsenic written. The onslaught happened determination other and the harm rolled downhill into Aave similar a flash flood.

On April 18, an attacker exploited a vulnerability successful Kelp DAO’s cross-chain bridge, which uses LayerZero’s messaging infrastructure. By forging a connection to the bridge’s lzReceive function, the attacker tricked the declaration into releasing astir 116,500 rsETH worthy astir $292 cardinal to a wallet nether their control, according to CoinDesk. Kelp’s squad paused the contracts wrong the hour, but the rsETH was already gone.

Two follow-up attempts to drain different 80,000 rsETH were blocked by the freeze, sparing the ecosystem an further $100 cardinal oregon truthful successful losses.

For readers caller to this country of crypto, rsETH is simply a liquid restaking token. You springiness Kelp your ETH, Kelp routes it done EigenLayer to gain other yield, and you get rsETH backmost arsenic a receipt. That receipt is expected to beryllium redeemable, eventually, for the ETH backing it. Critically, rsETH connected each Layer 2 was backed by the reserves sitting successful Kelp’s mainnet span contract. When that span was drained, the receipts connected 20-plus chains were near pointing astatine an bare vault.

Now the portion that matters for Aave depositors. The attacker took the stolen rsETH and utilized it arsenic collateral connected Aave V3 to get arsenic overmuch WETH arsenic the protocol would allow. Approximately $196 cardinal successful WETH walked retired the doorway against rsETH that was, by then, backed by nothing. Smaller exposures showed up connected Compound and Euler. The attacker consolidated the stolen funds into astir 74,000 ETH and moved on.