Share This Article
Aave did not get hacked. That may end up being the most important line in this whole story. But in crypto, being one step removed from the blast zone does not mean you escape the damage.
After the April 18 exploit tied to Kelp DAO’s rsETH, Aave became the clearest example of how quickly confidence can vanish when collateral assumptions break. Aave’s guardian froze rsETH and wrsETH reserves across its V3 deployments, set LTV to zero, and later froze WETH in several markets as risk teams tried to stop the stress from spreading further. Aave’s own incident report says its smart contracts were not compromised, and that the problem originated outside the protocol.
That distinction matters technically. It matters a lot less when billions are rushing for the exit.
Data cited across market coverage over the last two days shows Aave’s total value locked falling from roughly $26.4 billion on April 18 to near $20 billion on April 20, with some reports putting the outflow even higher as the panic spread. Coindesk reported a drop of more than $6 billion, while other market reports tied the wider exodus to as much as $8.6 billion to $10 billion leaving the protocol.
The market hit AAVE too. The token sold off sharply during the fallout, and it was trading around $92.93 on April 21, with an intraday range between $86.90 and $95.48.
At the center of this is rsETH, Kelp DAO’s liquid restaking token. According to Aave’s published incident report, affected Aave positions included 89,567 rsETH, valued at about $221.39 million, against 82,650 WETH, or about $190.86 million, plus a smaller amount of wstETH exposure. The report makes clear that the eventual bad debt outcome still depends on unresolved questions such as how losses are allocated, whether recovery funds materialize, and how redemptions reopen.
That uncertainty is the real problem.
In DeFi, a protocol does not need to fail at the contract level to suffer a crisis. It only needs to rely on an asset that suddenly stops behaving the way everyone modeled it. Once rsETH became a source of doubt, users did what crypto users always do when the rules feel unstable, they withdrew first and asked questions later. Aave responded quickly, but speed alone does not restore trust.
The broader market is now treating this as more than a Kelp story. It looks like a reminder that composability remains crypto’s greatest selling point and one of its deepest structural weaknesses. Kelp’s own protocol page on DefiLlama says rsETH is live across more than 10 major L2s and 40 plus DeFi platforms. That kind of distribution is great when things are calm. When something breaks, it turns one exploit into a system-wide stress test.
There is also a political layer to this now. Coindesk reported on April 21 that Arbitrum’s Security Council froze 30,766 ETH, worth about $71 million, linked to the exploit. That does not erase the damage, but it does suggest this story may still have a second chapter if recovery efforts gain traction.
For Aave, the uncomfortable truth is that this episode cuts both ways. On one hand, the protocol appears to have done what a mature DeFi venue is supposed to do under pressure. It moved fast, isolated risk, and kept its core contracts functioning. On the other hand, users were just reminded that “blue chip DeFi” still carries collateral-chain risk that can show up from somewhere completely external.
That is why this matters beyond the weekend chart damage.
Aave is supposed to be where size, liquidity, and risk frameworks make DeFi feel relatively grown up. If even Aave can see billions leave in a flash because a connected asset gets compromised elsewhere, then the industry still has a confidence problem it has not solved. Not a smart contract problem, not just a governance problem, a trust routing problem.
And trust, once it starts bridging out, is much harder to freeze.